Primary

Context

Tenda HG10 Command Injection Vulnerability in Login Interface

Vulnerability

A command injection vulnerability has been identified in the Tenda HG10 AC1200 Dualband Wi-Fi xPON ONT router, specifically in the Boa web server's formLogin interface. The issue arises in the checkUserFromLanOrWan function, where the Host parameter is not properly validated, allowing remote attackers to inject and execute arbitrary system commands. This vulnerability affects the firmware version US_HG7_HG9_HG10re_300001138_en_xpon.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

The vulnerability can be reproduced by sending a request to the Tenda HG10 router's login interface with a crafted Host parameter. The injected command will be executed on the device, as confirmed by the creation of a directory named 'hahaha' on the device's file system.

Added: Jan 30, 2026, 5:21 PM

Updated: Jan 30, 2026, 5:21 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

0.0

relevance

2.4

threat

6.5

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

0.0

relevance

2.4

threat

6.5

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tenda HG10 Command Injection Vulnerability in Login Interface

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating