The vulnerability CVE-2026-25857 is an OS command injection issue classified under CWE-78, found in the WAN diagnostic feature of the Shenzhen Tenda Technology G300-F router firmware version 16.01.14.2 and prior. The root cause is improper neutralization of special characters in user-supplied input that is concatenated into a shell command string executed by the device. Specifically, the formSetWanDiag function constructs a shell command invoking curl, embedding attacker-controlled input without adequate sanitization or escaping. This allows an attacker who can access the router's management interface to inject arbitrary shell commands, which the system executes with the privileges of the management process. The vulnerability does not require user interaction and can be exploited remotely over the network, assuming the attacker has the necessary access rights (high privileges) to the management interface. The CVSS v4.0 base score is 8.6, reflecting high severity due to network attack vector, low attack complexity, no required privileges beyond management access, and high impact on confidentiality, integrity, and availability. No patches or exploits are currently publicly available, but the flaw represents a critical risk for affected devices if left unmitigated.

Successful exploitation of this vulnerability allows attackers to execute arbitrary commands on the router with management-level privileges, potentially leading to full device compromise. This can result in unauthorized access to network traffic, manipulation or disruption of network services, installation of persistent malware, or use of the device as a pivot point for further attacks within an organization’s network. The confidentiality of sensitive data passing through the router can be compromised, integrity of network configurations can be altered, and availability of network connectivity can be disrupted. Given the router’s role as a network gateway, the impact extends beyond the device itself to the broader network environment. Organizations relying on Tenda G300-F routers in critical infrastructure or enterprise networks face significant operational and security risks if this vulnerability is exploited.

Since no official patches are currently available, organizations should immediately restrict access to the router’s management interface to trusted networks and users only, preferably via VPN or secure management VLANs. Disable WAN diagnostic features if not required to reduce the attack surface. Implement network segmentation to isolate vulnerable devices from critical assets. Monitor router logs and network traffic for unusual activity indicative of exploitation attempts. Where possible, replace affected devices with updated hardware or firmware versions once patches are released. Employ strong authentication and change default credentials to prevent unauthorized management access. Regularly audit device configurations and firmware versions to ensure timely application of security updates when they become available.