CVE-2026-38834
Published: 21 April 2026
Summary
CVE-2026-38834 is a high-severity Command Injection (CWE-77) vulnerability in Tenda W30E Firmware. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Tenda W30E V2.0 running firmware V16.01.0.21 contains a command injection vulnerability in the do_ping_action function that is triggered through the hostName parameter. The flaw, tracked as CVE-2026-38834 and assigned CWE-77, permits an attacker to supply a crafted request that results in execution of arbitrary operating-system commands on the device. The issue received a CVSS 3.1 score of 7.3 reflecting network attack vector, low complexity, and no required credentials or user interaction.
An unauthenticated remote attacker can send a malicious HTTP request containing shell metacharacters in the hostName field to achieve command execution. Successful exploitation grants the attacker the ability to read, modify, or delete data and potentially alter device behavior, consistent with the partial impact metrics reported for confidentiality, integrity, and availability.
The EPSS score for the vulnerability stands at 0.1440 with an identical recorded peak, indicating no material increase in observed exploitation interest since disclosure. The two referenced GitHub URLs point to the same repository file but supply no advisory text, patch details, or mitigation guidance within the provided information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24162
Vulnerability details
Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the do_ping_action function via the hostName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in public-facing router interface (do_ping_action) enables remote unauthenticated arbitrary command execution, directly mapping to T1190 (Exploit Public-Facing Application) and T1059.004 (Unix Shell) for command execution on Linux-based firmware.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates command injection by requiring validation of the unsanitized hostName parameter in the do_ping_action function.
Remediates the specific command injection flaw through identification, reporting, and patching of the vulnerable firmware version V16.01.0.21.
Requires identification and authentication for non-organizational users accessing the vulnerable do_ping_action function, blocking unauthenticated remote exploitation.