Tenda HG3 Command Injection Vulnerability Allowing Remote Code Execution

Vulnerability

A command injection vulnerability has been identified in the Tenda HG3 router operating system version 2.0. This issue arises in the 'formTracert' function of the '/boaform/formTracert' file, where improper validation of the 'datasize' argument allows for unauthorized command execution. The vulnerability can be exploited remotely, potentially leading to unauthorized access and control over the device, causing abnormal operations and significant security risks.

Impact

Exploitation of this vulnerability allows for command injection, with the potential for remote code execution on the affected device.

Added: Apr 27, 2026, 10:20 PM

Updated: Apr 27, 2026, 10:20 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

0.0

relevance

6.8

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

0.0

relevance

6.8

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tenda HG3 Command Injection Vulnerability Allowing Remote Code Execution

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating