CVE-2026-1690 identifies a command injection vulnerability in the Tenda HG10 device firmware version US_HG7_HG9_HG10re_300001138_en_xpon. The vulnerability resides in the system function exposed via the /boaform/formSysCmd endpoint, where the sysCmd parameter is improperly sanitized, allowing an attacker to inject arbitrary system commands. This flaw can be exploited remotely without any authentication or user interaction, enabling attackers to execute commands with the privileges of the system process running the web interface. The vulnerability is classified with a CVSS 4.0 base score of 5.1, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:H indicates high privileges required, but the description suggests remote exploitation without authentication, so this may be a discrepancy), and no user interaction needed. The impact affects confidentiality, integrity, and availability at a low level, but the ability to execute arbitrary commands can lead to device compromise, persistent backdoors, or denial of service. No patches or official fixes have been published yet, and while no exploits are currently known in the wild, the availability of a public exploit increases the risk of exploitation. The affected product, Tenda HG10, is commonly used in broadband and fiber optic network environments, often deployed by ISPs and enterprises for network access. The vulnerability's exploitation could allow attackers to disrupt network services or pivot into internal networks.

For European organizations, especially ISPs, telecom providers, and enterprises using Tenda HG10 devices, this vulnerability poses a significant risk. Successful exploitation could lead to unauthorized command execution on network devices, resulting in service disruption, data interception, or lateral movement within corporate networks. The compromise of such network infrastructure devices can undermine network integrity and availability, potentially affecting critical communications and business operations. Given the remote attack vector and lack of authentication, attackers could exploit this vulnerability from outside the network perimeter. This threat is particularly concerning for organizations with limited network segmentation or those exposing management interfaces to the internet. The medium CVSS score may underestimate the operational impact, as control over network devices can have cascading effects on connected systems and services.

European organizations should immediately audit their network for the presence of Tenda HG10 devices running the affected firmware version. Since no official patches are currently available, organizations should implement network-level mitigations such as disabling remote management interfaces exposed to untrusted networks and restricting access to the /boaform/formSysCmd endpoint via firewall rules or access control lists. Network segmentation should be enforced to isolate vulnerable devices from critical infrastructure and sensitive data environments. Continuous monitoring and logging of device management interfaces should be enabled to detect anomalous command execution attempts. Where possible, replace or upgrade affected devices to versions without this vulnerability once patches are released. Additionally, organizations should educate network administrators about this vulnerability and establish incident response procedures to quickly contain any exploitation attempts.