Cyber Posture

CVE-2026-38835

CriticalPublic PoCRCE

Published: 21 April 2026

Published
21 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0092 76.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-38835 is a critical-severity Command Injection (CWE-77) vulnerability in Tenda W30E Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mandates input validation mechanisms at vulnerable entry points like the usbPartitionName parameter to block command injection exploits.

SI-2 Flaw Remediation good match
prevent

Requires identification, reporting, and correction of flaws such as CVE-2026-38835 through timely patching of the affected firmware.

AC-3 Access Enforcement good match
prevent

Enforces access authorizations to restrict unauthenticated remote access to the vulnerable formSetUSBPartitionUmount function.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
attack.mitre.org →
Why these techniques?

Unauthenticated remote command injection via unsanitized web parameter on public-facing router enables exploitation of public-facing application (T1190) and network device CLI command execution (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the formSetUSBPartitionUmount function via the usbPartitionName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

Deeper analysisAI

CVE-2026-38835 is a command injection vulnerability in the Tenda W30E V2.0 router running firmware version V16.01.0.21. The flaw exists in the formSetUSBPartitionUmount function, where the usbPartitionName parameter is vulnerable to improper input sanitization, enabling attackers to inject and execute arbitrary commands through a specially crafted request. This issue corresponds to CWE-77 and was published on 2026-04-21.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical. Unauthenticated attackers can exploit it remotely over the network with low attack complexity and no user interaction, achieving arbitrary command execution on the affected device. This grants high-impact access to compromise confidentiality, integrity, and availability.

References for further details include https://github.com/jsjbcyber/repo/blob/main/rep_2.md.

Details

CWE(s)
CWE-77

Affected Products

tenda
w30e firmware
16.01.0.21

CVEs Like This One

CVE-2026-38834Same product: Tenda W30E
CVE-2026-24429Same product: Tenda W30E
CVE-2026-24436Same product: Tenda W30E
CVE-2025-57085Same product: Tenda W30E
CVE-2026-24428Same product: Tenda W30E
CVE-2026-24440Same product: Tenda W30E
CVE-2026-24430Same product: Tenda W30E
CVE-2026-31255Same vendor: Tenda
CVE-2025-25632Same vendor: Tenda
CVE-2026-6989Same vendor: Tenda

References