Key Information CVE ID: CVE-2026-25857 Date: February 7, 2026 Vulnerability Description: - Affected Product: Tenda G300-F router firmware version 16.01.14.2 and earlier. - Vulnerable Feature: The WAN diagnostic function ( ) is vulnerable to OS command injection. - Root Cause: The function constructs a shell command using , but fails to properly sanitize user-controlled input in the command line. This allows remote attackers to inject additional shell syntax via the affected management interface and execute arbitrary commands with privileges of the management process. - Critical Code Snippet: - Uses to execute system commands, with insufficient input validation and sanitization for the parameter. Exploitation Method: - Ensure the command string includes a semicolon to append attacker-specified commands, e.g., or . - Trigger the vulnerability via , likely through the endpoint. Potential Bypass of Fixes: - Tenda’s fix may involve using or similar mechanisms, but these could still be bypassed. Attackers can exploit ’s option to perform file writes, such as , enabling overwriting files or creating cron jobs. Exploit Code: - Exploit code is available on GitHub. - If this CVE advisory is private, it indicates the vulnerability has not yet been publicly disclosed.