CVE-2026-1687
Remote Command Injection in Tenda Boa Webserver via serverString
Publication date: 2026-01-30
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | hg10_firmware | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a command injection flaw in the Tenda HG10 router's Boa Webserver component, specifically in the /boaform/formSamba file. It occurs because the serverString parameter is taken directly from user input and used in system commands without proper validation or sanitization. This allows an unauthenticated remote attacker to inject and execute arbitrary commands on the device, potentially gaining full control over the router. [1, 3]
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to full compromise of the affected router. An attacker can execute arbitrary system commands remotely without authentication, which can impact the confidentiality, integrity, and availability of the device and the network it supports. This could result in unauthorized access, disruption of network services, or use of the device for further attacks. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can be performed by monitoring for unusual HTTP requests targeting the /boaform/formSamba endpoint with the serverString parameter containing suspicious or command injection payloads. Since the vulnerability involves command injection via the serverString parameter, you can use network traffic inspection tools or web server logs to identify such attempts. For example, using curl to test the endpoint with crafted payloads or using intrusion detection system (IDS) rules to detect command injection patterns in requests to /boaform/formSamba may help. Specific commands might include: curl -v 'http://<router-ip>/boaform/formSamba?serverString=;id' to test if command injection is possible. However, no official detection commands or signatures are provided in the resources. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the affected Tenda HG10 router device with a non-vulnerable model, as no known countermeasures or patches are currently available. Additionally, restricting remote access to the router's web interface, disabling remote management if possible, and monitoring network traffic for exploitation attempts can help reduce risk. Since the vulnerability allows unauthenticated remote command execution and no vendor patch or workaround is available, device replacement is the recommended mitigation. [3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows remote attackers to execute arbitrary commands on the affected device without authentication, impacting confidentiality, integrity, and availability of the system. Such a compromise could lead to unauthorized access to sensitive data or disruption of services, which may result in non-compliance with standards and regulations like GDPR and HIPAA that require protection of personal and sensitive information. However, no specific compliance impact or regulatory discussion is provided in the available resources. [1, 3]