Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A vulnerability was detected in Tenda 4G300 US_4G300V1.0Mt_V1.01.42_CN_TDC01. This impacts the function sub_425A28 of the file /goform/DelFil. The manipulation of the argument delflag results in command injection. The attack may be launched remotely. The exploit is now public and may be used.
AnalysisAI
Command injection in Tenda 4G300 US version 1.01.42 allows authenticated remote attackers to execute arbitrary system commands via the delflag parameter in the /goform/DelFil endpoint. The vulnerability affects the sub_425A28 function and has publicly available exploit code; CVSS 6.3 reflects authenticated access requirement but moderate impact scope.
Technical ContextAI
The vulnerability exists in the web management interface of the Tenda 4G300 router firmware. The /goform/DelFil endpoint processes user-supplied input through the delflag parameter without proper sanitization before passing it to system command execution functions. CWE-77 (Improper Neutralization of Special Elements used in a Command) indicates the root cause is insufficient input validation when constructing or executing system commands. The affected function sub_425A28 is part of the router's file management functionality, suggesting the delflag parameter is intended to control file deletion operations but is instead interpretable as shell metacharacters or command operators.
RemediationAI
Immediate remediation requires contacting Tenda support to obtain a patched firmware version, as no official fix has been publicly released at the time of analysis. Interim compensating controls include: (1) Restrict network access to the router's web management interface to trusted IP addresses only using firewall rules, blocking the /goform/DelFil endpoint from untrusted sources. (2) Disable remote management features if not operationally required - most Tenda routers default to local-only access but may be exposed in cloud-managed deployments. (3) Change default or weak admin credentials and enforce strong authentication policies to reduce likelihood of account compromise. (4) Segment the router on a separate management VLAN with strict egress filtering to limit lateral movement if the device is compromised. Monitor Tenda's website (https://www.tenda.com.cn/) and contact support channels for security updates; CVE tracking and automatic security notifications are not available for this product line based on provided references.
Tenda ONT GPON AC1200 Dual band WiFi HG9 v1.0.1 is vulnerable to Command Injection via the Ping function. Rated high sev
Mediabridge Medialink MWN-WAPR300N devices with firmware 5.07.50 and Tenda N3 Wireless N150 devices allow remote attacke
The Shenzhen Tenda Technology Tenda A5s router with firmware 3.02.05_CN allows remote attackers to bypass authentication
Tenda AC9 v15.03.05.14 was discovered to contain a command injection vulnerability via the Telnet function. Rated critic
In Tenda AC9 v1.0 V15.03.05.14_multi, the wanMTU parameter of /goform/AdvSetMacMtuWan has a stack overflow vulnerability
Tenda AC9 V15.03.06.42_multi was found to contain a command injection vulnerability in the formSetSambaConf function via
Tenda AC9 V15.03.06.42_multi was found to contain a command injection vulnerability in the formsetUsbUnload function via
Tenda AC23 v16.03.07.44 was discovered to contain a buffer overflow via fromAdvSetMacMtuWan. Rated critical severity (CV
Tenda AC15 v15.03.05.19 is vulnerable to Command Injection via the handler function in /goform/telnet. Rated critical se
Tenda AX1803 v1.0.0.1 was discovered to contain a command injection vulnerability via the function fromAdvSetLanIp. Rate
Tenda AX3 v16.03.12.11 was discovered to contain a remote code execution (RCE) vulnerability via the list parameter at /
In the Tenda ac9 v1.0 router with firmware V15.03.05.14_multi, there is a stack overflow vulnerability in /goform/WifiWp
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26306