ГлавнаяУязвимости → CVE-2026-25857
8.8высокая

CVE-2026-25857

→ есть в БДУ: BDU:2026-01506 (на русском)
Описание (на английском; русское — в БДУ выше)

Tenda G300-F router firmware version 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process.

Затрагиваемое ПО
Tenda G300-f firmwareTenda G300-f
CVSS
Балл8.8 — высокая
ВекторCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Источники
https://blog.evan.lat/blog/cve-2026-25857/https://www.tendacn.com/material/show/736333682028613https://www.vulncheck.com/advisories/tenda-g300-f-command-injection-via-formsetwandiag