Primary

Context

Tenda W30E Command Injection Vulnerability in do_ping_action Function

Vulnerability

A command injection vulnerability has been identified in the Tenda W30E V2.0 router, specifically in version V16.01.0.21. The issue arises in the do_ping_action function, where the hostName parameter can be manipulated to execute arbitrary commands. This vulnerability can be exploited by sending a crafted request that includes malicious command payloads.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

To reproduce this vulnerability, send a POST request to the /goform/module endpoint with a crafted JSON payload. The hostName parameter should be set to include the desired command injection, such as a ping command followed by a command to write to a webroot file. After the request is processed, the injected command will be executed, and the results can be verified by checking the modified file.

Added: Apr 21, 2026, 6:54 PM

Updated: Apr 21, 2026, 6:54 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

4.8

remediation

0.0

relevance

6.4

threat

6.7

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

4.8

remediation

0.0

relevance

6.4

threat

6.7

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tenda W30E Command Injection Vulnerability in do_ping_action Function

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating