Cyber Resilience

CVE-2026-6989

LowPublic PoC

Published: 25 April 2026

Published
25 April 2026
Modified
30 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0290 85.2th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-6989 is a low-severity Injection (CWE-74) vulnerability in Tenda F453 Firmware. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-6989 is a command injection vulnerability affecting the Tenda F453 router firmware versions up to 1.0.0.3. The issue resides in the TendaTelnet function within the /goform/telnet endpoint of the Telnet Service component. Manipulation of this function enables arbitrary command execution, as classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-77 (Command Injection). The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity with network accessibility and low attack complexity.

A remote attacker with low privileges can exploit this vulnerability without user interaction. By sending crafted requests to the affected endpoint, the attacker achieves command injection, potentially leading to limited impacts on confidentiality, integrity, and availability, such as unauthorized access to system information, modification of router settings, or denial of minor services.

Advisories from VulDB detail the vulnerability and recent threat intelligence, while a GitHub repository discloses a public exploit that may be actively used. The vendor's website at tenda.com.cn provides general product information, but no specific patch or mitigation details are outlined in the available references; users should check for firmware updates beyond version 1.0.0.3.

The exploit's public disclosure heightens the risk of real-world exploitation against unpatched Tenda F453 devices.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability has been found in Tenda F453 up to 1.0.0.3. Impacted is the function TendaTelnet of the file /goform/telnet of the component Telnet Service. Such manipulation leads to command injection. It is possible to launch the attack remotely. The…

more

exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

The vulnerability is a command injection in a router's web management Telnet endpoint (public-facing application), enabling arbitrary command execution on the network device CLI.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4554Same product: Tenda F453
CVE-2026-4551Same product: Tenda F453
CVE-2026-3167Same product: Tenda F453
CVE-2026-3399Same product: Tenda F453
CVE-2026-4552Same product: Tenda F453
CVE-2026-3379Same product: Tenda F453
CVE-2026-3166Same product: Tenda F453
CVE-2026-3726Same product: Tenda F453
CVE-2026-3271Same product: Tenda F453
CVE-2026-3729Same product: Tenda F453

Affected Assets

tenda
f453 firmware
1.0.0.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the command injection vulnerability in the TendaTelnet function by identifying, reporting, and applying firmware updates beyond version 1.0.0.3.

prevent

Enforces validation of inputs to the /goform/telnet endpoint to neutralize special elements and block command injection exploits.

prevent

Prohibits or restricts the unnecessary Telnet service and its vulnerable endpoint to eliminate the attack surface.

References