CVE-2026-7119

HighPublic PoCRCE

Published: 27 April 2026

Published

27 April 2026

Modified

30 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0097 76.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7119 is a high-severity Command Injection (CWE-77) vulnerability in Tenda Hg3 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 requires information input validation at system entry points, directly preventing OS command injection through manipulation of the countrystr argument in /boaform/formCountrystr.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates identification, reporting, and timely correction of system flaws, enabling patching or mitigation of this specific command injection vulnerability in Tenda HG3 firmware.

SC-7 Boundary Protection partial match

prevent

SC-7 provides boundary protection mechanisms to monitor and control communications at the router's external interface, restricting remote exploitation of the publicly available command injection vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

CVE enables remote exploitation of a public-facing router web interface (T1190) for arbitrary OS command injection, facilitating Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A vulnerability was detected in Tenda HG3 2.0. The impacted element is an unknown function of the file /boaform/formCountrystr. The manipulation of the argument countrystr results in os command injection. The attack may be performed from remote. The exploit is…

now public and may be used.

Deeper analysisAI

CVE-2026-7119 is an OS command injection vulnerability (CWE-77, CWE-78) in Tenda HG3 2.0 router firmware, published on 2026-04-27. The issue resides in an unknown function within the /boaform/formCountrystr file, where manipulation of the countrystr argument enables arbitrary OS command execution.

Attackers can exploit this remotely over the network with low complexity and low privileges required (PR:L), without user interaction. Successful exploitation yields high impacts on confidentiality, integrity, and availability (CVSS:3.1 score of 8.8; AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), allowing injected commands to potentially compromise the device fully.

Advisories from VulDB (https://vuldb.com/vuln/359719) and related CTI (https://vuldb.com/vuln/359719/cti) document the vulnerability, with additional details on a Notion page (https://www.notion.so/Tenda-HG3-1-33d0c75766a8808d8b38e9d090cec7ab) and Tenda's site (https://www.tenda.com.cn/). The exploit is public and available for use.

Security practitioners should monitor for real-world exploitation, as the public exploit increases risk to exposed Tenda HG3 2.0 devices.

Details

CWE(s): CWE-77 CWE-78

Affected Products

tenda

hg3 firmware

300003070

CVEs Like This One

CVE-2026-7096Same product: Tenda Hg3

CVE-2026-7160Same product: Tenda Hg3

CVE-2026-7151Same product: Tenda Hg3

CVE-2026-8264Same vendor: Tenda

CVE-2026-8259Same vendor: Tenda

CVE-2026-4253Same vendor: Tenda

CVE-2026-8265Same vendor: Tenda

CVE-2026-5547Same vendor: Tenda

CVE-2026-8263Same vendor: Tenda

CVE-2025-7414Same vendor: Tenda

References

https://vuldb.com/submit/800859
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/359719
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/359719/cti
Permissions Required, VDB Entry · cna@vuldb.com
https://www.notion.so/Tenda-HG3-1-33d0c75766a8808d8b38e9d090cec7ab
Exploit, Third Party Advisory · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com