Cyber Resilience

CVE-2026-38834

HighPublic PoC

Published: 21 April 2026

Published
21 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.1440 94.6th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-38834 is a high-severity Command Injection (CWE-77) vulnerability in Tenda W30E Firmware. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Tenda W30E V2.0 running firmware V16.01.0.21 contains a command injection vulnerability in the do_ping_action function that is triggered through the hostName parameter. The flaw, tracked as CVE-2026-38834 and assigned CWE-77, permits an attacker to supply a crafted request that results in execution of arbitrary operating-system commands on the device. The issue received a CVSS 3.1 score of 7.3 reflecting network attack vector, low complexity, and no required credentials or user interaction.

An unauthenticated remote attacker can send a malicious HTTP request containing shell metacharacters in the hostName field to achieve command execution. Successful exploitation grants the attacker the ability to read, modify, or delete data and potentially alter device behavior, consistent with the partial impact metrics reported for confidentiality, integrity, and availability.

The EPSS score for the vulnerability stands at 0.1440 with an identical recorded peak, indicating no material increase in observed exploitation interest since disclosure. The two referenced GitHub URLs point to the same repository file but supply no advisory text, patch details, or mitigation guidance within the provided information.

EU & UK References

Vulnerability details

Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the do_ping_action function via the hostName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in public-facing router interface (do_ping_action) enables remote unauthenticated arbitrary command execution, directly mapping to T1190 (Exploit Public-Facing Application) and T1059.004 (Unix Shell) for command execution on Linux-based firmware.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-38835Same product: Tenda W30E
CVE-2026-24429Same product: Tenda W30E
CVE-2025-22949Same vendor: Tenda
CVE-2025-57085Same product: Tenda W30E
CVE-2026-24428Same product: Tenda W30E
CVE-2026-24440Same product: Tenda W30E
CVE-2026-24430Same product: Tenda W30E
CVE-2024-57583Same vendor: Tenda
CVE-2026-24436Same product: Tenda W30E
CVE-2026-8265Same vendor: Tenda

Affected Assets

tenda
w30e firmware
16.01.0.21

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates command injection by requiring validation of the unsanitized hostName parameter in the do_ping_action function.

prevent

Remediates the specific command injection flaw through identification, reporting, and patching of the vulnerable firmware version V16.01.0.21.

prevent

Requires identification and authentication for non-organizational users accessing the vulnerable do_ping_action function, blocking unauthenticated remote exploitation.

References