Cyber Resilience

CVE-2026-7160

HighPublic PoCRCE

Published: 27 April 2026

Published
27 April 2026
Modified
30 April 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0327 86.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-7160 is a high-severity Injection (CWE-74) vulnerability in Tenda Hg3 Firmware. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and CM-7 (Least Functionality).

Deeper analysis

A vulnerability has been identified in Tenda HG3 2.0 within the formTracert function of the /boaform/formTracert file. Manipulation of the datasize argument allows command injection, classified under CWE-74 and CWE-77. The issue is remotely exploitable with a CVSS 4.0 score of 7.4 reflecting network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.

An authenticated remote attacker can supply crafted input to the affected parameter and execute arbitrary commands on the device. Publicly disclosed exploit code is available, enabling potential full compromise of the affected router without user interaction.

The EPSS score remains low and unchanged at 0.0120 with no material rise observed. Reference sources point to vulnerability databases and the vendor site but contain no details on patches or specific mitigation steps.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was determined in Tenda HG3 2.0. This vulnerability affects the function formTracert of the file /boaform/formTracert. Executing a manipulation of the argument datasize can lead to command injection. The attack may be performed from remote. The exploit has…

more

been publicly disclosed and may be utilized.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in the web interface of the Tenda router enables exploitation of a public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7119Same product: Tenda Hg3
CVE-2026-7096Same product: Tenda Hg3
CVE-2026-7151Same product: Tenda Hg3
CVE-2026-7102Same vendor: Tenda
CVE-2026-5338Same vendor: Tenda
CVE-2026-38834Same vendor: Tenda
CVE-2024-57583Same vendor: Tenda
CVE-2025-22949Same vendor: Tenda
CVE-2026-1638Same vendor: Tenda
CVE-2025-11523Same vendor: Tenda

Affected Assets

tenda
hg3 firmware
300003070

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the datasize argument in formTracert to block command-injection payloads before execution.

prevent

Disables or restricts the tracert function and other non-essential services on the HG3, eliminating the vulnerable code path.

prevent

Mandates timely application of vendor patches for the publicly disclosed formTracert command-injection flaw once released.

References