CVE-2026-4253
Published: 16 March 2026
Summary
CVE-2026-4253 is a medium-severity Command Injection (CWE-77) vulnerability in Tenda Ac8 Firmware. Its CVSS base score is 4.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents OS command injection by validating and sanitizing the wans.policy.list1 input in the vulnerable route_set_user_policy_rule function of the web interface.
Ensures timely identification, reporting, and patching of the command injection flaw in Tenda AC8 firmware version 16.03.50.11.
Enables monitoring of the web interface and system processes to detect anomalous command executions resulting from exploitation of the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in exposed web UI (UploadCfg) directly enables remote exploitation of public-facing application for arbitrary Unix shell command execution on the device.
NVD Description
A security flaw has been discovered in Tenda AC8 16.03.50.11. This affects the function route_set_user_policy_rule of the file /cgi-bin/UploadCfg of the component Web Interface. The manipulation of the argument wans.policy.list1 results in os command injection. It is possible to launch…
more
the attack remotely. The exploit has been released to the public and may be used for attacks.
Deeper analysisAI
CVE-2026-4253 is an OS command injection vulnerability affecting the Tenda AC8 router on firmware version 16.03.50.11. The flaw resides in the route_set_user_policy_rule function within the /cgi-bin/UploadCfg file of the Web Interface component, where manipulation of the wans.policy.list1 argument enables command injection. It is associated with CWEs-77 (Command Injection) and CWE-78 (OS Command Injection) and carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).
The vulnerability is exploitable remotely by attackers who possess high privileges (PR:H), such as authenticated administrative access to the Web Interface. Upon successful exploitation, adversaries can execute arbitrary operating system commands, resulting in low-level impacts on confidentiality, integrity, and availability.
Advisories detail the issue on VulDB (ctiid.351211, id.351211, submit.771771), with a proof-of-concept exploit script publicly available on GitHub at https://github.com/digitalandrew/tenda_ac8_v5/blob/main/poc_cmdi_config_upload.py. The vendor's website is accessible at https://www.tenda.com.cn/, though specific patch or mitigation guidance is not outlined in the referenced sources.
The exploit has been released publicly, increasing the risk of targeted attacks against vulnerable Tenda AC8 devices.
Details
- CWE(s)