Cyber Resilience

CVE-2026-7096

HighPublic PoCRCE

Published: 27 April 2026

Published
27 April 2026
Modified
30 April 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0408 89.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-7096 is a high-severity Command Injection (CWE-77) vulnerability in Tenda Hg3 Firmware. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A security flaw tracked as CVE-2026-7096 affects the Tenda HG3 2.0 device running firmware 300003070. The vulnerability resides in the formgponConf function of the /boaform/admin/formgponConf endpoint and stems from improper handling of the fmgpon_loid argument, resulting in operating-system command injection. The weakness is reachable over the network and is assigned a CVSS 4.0 score of 7.4 with high impact on confidentiality, integrity, and availability.

An authenticated remote attacker can supply a crafted fmgpon_loid value to execute arbitrary operating-system commands on the device. Publicly released exploit code enables this attack path without user interaction, allowing an adversary to obtain elevated control over the affected router.

The EPSS score remains flat at 0.0120 with no material increase after disclosure, indicating limited observed exploitation interest to date.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security flaw has been discovered in Tenda HG3 2.0 300003070. This vulnerability affects the function formgponConf of the file /boaform/admin/formgponConf. The manipulation of the argument fmgpon_loid results in os command injection. It is possible to launch the attack remotely.…

more

The exploit has been released to the public and may be used for attacks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

CVE enables exploitation of public-facing web application (T1190) via command injection in router firmware, directly facilitating arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7119Same product: Tenda Hg3
CVE-2026-7160Same product: Tenda Hg3
CVE-2026-7151Same product: Tenda Hg3
CVE-2026-8259Same vendor: Tenda
CVE-2026-4253Same vendor: Tenda
CVE-2026-8265Same vendor: Tenda
CVE-2026-5547Same vendor: Tenda
CVE-2026-8264Same vendor: Tenda
CVE-2026-8263Same vendor: Tenda
CVE-2025-7414Same vendor: Tenda

Affected Assets

tenda
hg3 firmware
300003070

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the fmgpon_loid input argument before it is passed to operating-system command execution in formgponConf.

prevent

Mandates timely remediation of the publicly disclosed command-injection flaw in the Tenda HG3 firmware before exploitation occurs.

prevent

Limits the privileges of the web-server process so that even a successful fmgpon_loid injection yields minimal system impact.

References