Primary

Context

Tenda HG10 Command Injection Vulnerability in Boa Webserver

Vulnerability

A command injection vulnerability has been identified in the Tenda HG10 AC1200 Dualband Wi-Fi xPON ONT router, specifically in the Boa webserver's formSamba interface. The vulnerability arises from improper handling of the user-supplied serverString parameter, allowing an unauthenticated attacker to inject and execute arbitrary system commands on the device. This exploitation could lead to a full compromise of the router.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device, potentially leading to full control over the router.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /boaform/formSamba endpoint. The request must include a crafted serverString parameter that contains the desired command injection payload. This can be done using tools like Burp Suite to intercept and modify the request before sending it to the server.

Added: Jan 30, 2026, 4:22 PM

Updated: Jan 30, 2026, 4:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

0.0

relevance

2.5

threat

6.5

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

0.0

relevance

2.5

threat

6.5

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tenda HG10 Command Injection Vulnerability in Boa Webserver

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating