CVE-2026-25857
Published: 07 February 2026
Summary
CVE-2026-25857 is a high-severity OS Command Injection (CWE-78) vulnerability in Tenda G300-F Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of attacker-controlled inputs incorporated into shell commands in formSetWanDiag to prevent OS command injection.
Mandates timely identification, reporting, and patching of the specific command injection flaw via firmware updates as recommended in advisories.
Monitors and controls network communications to the management interface, blocking unauthorized remote access required to exploit formSetWanDiag.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote exploitation of public-facing router web management interface (T1190) via command injection, allowing arbitrary Unix shell command execution (T1059.004).
NVD Description
Tenda G300-F router firmware version 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization.…
more
As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process.
Deeper analysisAI
CVE-2026-25857 is an OS command injection vulnerability (CWE-78) in Tenda G300-F router firmware versions 16.01.14.2 and prior. The issue affects the WAN diagnostic functionality, specifically the formSetWanDiag component, where the implementation constructs a shell command that invokes curl and directly incorporates attacker-controlled input into the command line without adequate neutralization or sanitization.
A remote attacker with access to the affected management interface and low privileges (PR:L) can exploit the vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Exploitation enables injection of additional shell syntax, allowing arbitrary command execution on the device with the privileges of the management process. The vulnerability yields high impacts on confidentiality, integrity, and availability, earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Advisories and mitigation guidance are provided by Tenda at https://www.tendacn.com/material/show/736333682028613, as well as researchers at https://blog.evan.lat/blog/cve-2026-25857/ and https://www.vulncheck.com/advisories/tenda-g300-f-command-injection-via-formsetwandiag. Security practitioners should review these sources for firmware patches, upgrade instructions, or temporary workarounds such as restricting management interface access.
Details
- CWE(s)