CVE-2026-7160
Published: 27 April 2026
Summary
CVE-2026-7160 is a high-severity Injection (CWE-74) vulnerability in Tenda Hg3 Firmware. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and CM-7 (Least Functionality).
Deeper analysis
A vulnerability has been identified in Tenda HG3 2.0 within the formTracert function of the /boaform/formTracert file. Manipulation of the datasize argument allows command injection, classified under CWE-74 and CWE-77. The issue is remotely exploitable with a CVSS 4.0 score of 7.4 reflecting network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.
An authenticated remote attacker can supply crafted input to the affected parameter and execute arbitrary commands on the device. Publicly disclosed exploit code is available, enabling potential full compromise of the affected router without user interaction.
The EPSS score remains low and unchanged at 0.0120 with no material rise observed. Reference sources point to vulnerability databases and the vendor site but contain no details on patches or specific mitigation steps.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25927
Vulnerability details
A vulnerability was determined in Tenda HG3 2.0. This vulnerability affects the function formTracert of the file /boaform/formTracert. Executing a manipulation of the argument datasize can lead to command injection. The attack may be performed from remote. The exploit has…
more
been publicly disclosed and may be utilized.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in the web interface of the Tenda router enables exploitation of a public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the datasize argument in formTracert to block command-injection payloads before execution.
Disables or restricts the tracert function and other non-essential services on the HG3, eliminating the vulnerable code path.
Mandates timely application of vendor patches for the publicly disclosed formTracert command-injection flaw once released.