Cyber Resilience

CVE-2026-7119

HighPublic PoCRCE

Published: 27 April 2026

Published
27 April 2026
Modified
30 April 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0327 86.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-7119 is a high-severity Command Injection (CWE-77) vulnerability in Tenda Hg3 Firmware. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

A vulnerability identified as CVE-2026-7119 affects Tenda HG3 2.0 firmware and resides in an unspecified function within the /boaform/formCountrystr endpoint. The flaw stems from improper handling of the countrystr parameter, enabling operating system command injection as classified under CWE-77 and CWE-78. The issue is remotely reachable and carries a CVSS 4.0 score of 7.4 reflecting network attack vector, low complexity, and low-privilege requirements with high impact on confidentiality, integrity, and availability.

An attacker with authenticated remote access can supply crafted input to the affected parameter and execute arbitrary operating system commands on the device. Publicly available exploit code increases the likelihood of successful attacks that could lead to full device compromise without user interaction.

Reference sources consist primarily of vulnerability database entries and a vendor homepage link, with no explicit patch details or mitigation guidance provided in the available records. The associated EPSS score remains flat at 0.0120 with no material increase observed since disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was detected in Tenda HG3 2.0. The impacted element is an unknown function of the file /boaform/formCountrystr. The manipulation of the argument countrystr results in os command injection. The attack may be performed from remote. The exploit is…

more

now public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

CVE enables remote exploitation of a public-facing router web interface (T1190) for arbitrary OS command injection, facilitating Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7096Same product: Tenda Hg3
CVE-2026-7160Same product: Tenda Hg3
CVE-2026-7151Same product: Tenda Hg3
CVE-2026-8259Same vendor: Tenda
CVE-2026-4253Same vendor: Tenda
CVE-2026-8265Same vendor: Tenda
CVE-2026-5547Same vendor: Tenda
CVE-2026-8264Same vendor: Tenda
CVE-2026-8263Same vendor: Tenda
CVE-2025-7414Same vendor: Tenda

Affected Assets

tenda
hg3 firmware
300003070

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of the countrystr input parameter to block the OS command injection vector in /boaform/formCountrystr.

prevent

Limits privileges of the web process handling formCountrystr so injected commands cannot achieve full device compromise.

detect

Enables monitoring of command execution and anomalous behavior on the Tenda HG3 resulting from successful exploitation of the public CVE-2026-7119 payload.

References