Cyber Posture

CVE-2026-38834

HighPublic PoC

Published: 21 April 2026

Published
21 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.1321 94.2th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-38834 is a high-severity Command Injection (CWE-77) vulnerability in Tenda W30E Firmware. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates command injection by requiring validation of the unsanitized hostName parameter in the do_ping_action function.

SI-2 Flaw Remediation good match
prevent

Remediates the specific command injection flaw through identification, reporting, and patching of the vulnerable firmware version V16.01.0.21.

IA-8 Identification and Authentication (Non-organizational Users) partial match
prevent

Requires identification and authentication for non-organizational users accessing the vulnerable do_ping_action function, blocking unauthenticated remote exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Command injection in public-facing router interface (do_ping_action) enables remote unauthenticated arbitrary command execution, directly mapping to T1190 (Exploit Public-Facing Application) and T1059.004 (Unix Shell) for command execution on Linux-based firmware.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the do_ping_action function via the hostName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

Deeper analysisAI

CVE-2026-38834, published on 2026-04-21, is a command injection vulnerability in the Tenda W30E V2.0 router running firmware version V16.01.0.21. The issue exists in the do_ping_action function, where the hostName parameter lacks proper input sanitization, enabling attackers to inject and execute arbitrary commands via a crafted request. It is classified under CWE-77 with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

Remote unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. By sending a specially crafted request to the affected function, attackers achieve arbitrary command execution on the device, resulting in low impacts to confidentiality, integrity, and availability.

Advisories and further details are available in the referenced GitHub repository at https://github.com/jsjbcyber/repo/blob/main/rep_1.md.

Details

CWE(s)
CWE-77

Affected Products

tenda
w30e firmware
16.01.0.21

CVEs Like This One

CVE-2026-38835Same product: Tenda W30E
CVE-2026-24429Same product: Tenda W30E
CVE-2024-57583Same vendor: Tenda
CVE-2025-57085Same product: Tenda W30E
CVE-2026-24430Same product: Tenda W30E
CVE-2025-22949Same vendor: Tenda
CVE-2026-24436Same product: Tenda W30E
CVE-2026-24440Same product: Tenda W30E
CVE-2026-24428Same product: Tenda W30E
CVE-2026-7119Same vendor: Tenda

References