CVE-2026-7119 Overview
CVE-2026-7119 is an operating system command injection vulnerability in Tenda HG3 2.0 routers. The flaw resides in an unknown function inside the /boaform/formCountrystr endpoint, where the countrystr parameter is passed to a system shell without sanitization. Remote attackers holding low-level credentials can inject arbitrary commands that execute with the privileges of the embedded web server. Public exploit details are available, increasing the likelihood of opportunistic exploitation against exposed devices. The vulnerability is tracked under CWE-77 (Improper Neutralization of Special Elements used in a Command).
Critical Impact
Successful exploitation grants remote command execution on the router, enabling full device takeover, traffic interception, and pivoting into the internal network.
Affected Products
- Tenda HG3 hardware revision 2.0
- Tenda HG3 firmware build 300003070
- Tenda HG3 deployments exposing the /boaform/ web interface
Discovery Timeline
- 2026-04-27 - CVE-2026-7119 published to NVD
- 2026-04-30 - Last updated in NVD database
Technical Details for CVE-2026-7119
Vulnerability Analysis
The Tenda HG3 web management interface exposes the /boaform/formCountrystr handler, served by the boa web server commonly used in embedded Linux devices. The handler accepts a countrystr parameter intended to configure the device's regional setting. Instead of validating or escaping the input, the firmware concatenates the value into a shell command executed via a system call. Any shell metacharacters supplied by the attacker break out of the intended command context and run arbitrary binaries available on the device.
Because the embedded web server typically runs as root on consumer routers, injected commands inherit administrative privileges. Attackers can modify firewall rules, drop persistent backdoors, alter DNS configuration, or relay traffic. The vulnerability requires authenticated access at a low privilege level, but default and weak credentials remain common on residential gateways.
Root Cause
The root cause is missing input neutralization in the countrystr parameter handler. The firmware treats user-supplied data as part of a shell command string rather than as an isolated argument. No allow-list, length restriction, or metacharacter filter is applied before the value reaches the command interpreter.
Attack Vector
An attacker reaches the vulnerable endpoint over the network by sending a crafted HTTP request to /boaform/formCountrystr with a malicious countrystr value. The request requires a valid low-privilege session. Shell separators such as ;, |, or backticks terminate the intended command and append attacker-controlled instructions. Exploitation does not require user interaction.
The vulnerability is described in prose only; no verified proof-of-concept code is published in the referenced advisories. See VulDB entry #359719 and the Notion Tenda HG3 Analysis for technical context.
Detection Methods for CVE-2026-7119
Indicators of Compromise
- HTTP POST or GET requests to /boaform/formCountrystr containing shell metacharacters such as ;, &&, |, $(, or backticks in the countrystr parameter
- Unexpected outbound connections originating from the router's management IP to unfamiliar hosts
- New or modified processes on the device such as wget, curl, tftp, or busybox invocations spawned by the boa web server
- Persistence artifacts in /etc/init.d/, /tmp/, or modified rc startup scripts
Detection Strategies
- Inspect web server access logs for requests to /boaform/formCountrystr with non-alphanumeric countrystr values
- Deploy network IDS signatures that flag shell metacharacter patterns within HTTP request bodies targeting boaform endpoints
- Baseline router DNS, firewall, and routing tables to detect unauthorized changes following suspicious management traffic
Monitoring Recommendations
- Forward router syslog and HTTP access logs to a centralized SIEM for correlation against management interface anomalies
- Alert on management interface access from external IP ranges or unexpected internal hosts
- Track firmware version 300003070 across the fleet and flag devices that remain on vulnerable builds
How to Mitigate CVE-2026-7119
Immediate Actions Required
- Restrict access to the router's web management interface to trusted internal segments and block WAN-side exposure
- Rotate administrative credentials on all Tenda HG3 devices and remove default or shared accounts
- Audit recent device configuration changes for unauthorized DNS, firewall, or port-forwarding modifications
- Isolate suspect devices from production networks until inspection is complete
Patch Information
As of the last NVD update on 2026-04-30, no vendor-supplied patch is referenced in the Tenda official website advisories. Operators should monitor Tenda's support channels for firmware updates superseding build 300003070 and apply them once available.
Workarounds
- Disable remote management on the WAN interface and limit administrative access to an out-of-band VLAN
- Place affected devices behind a network firewall that filters inbound HTTP requests to /boaform/ paths
- Replace end-of-life or unpatched Tenda HG3 units with a supported gateway where vendor patches are unavailable
# Example firewall rule to block external access to the vulnerable endpoint
iptables -A INPUT -p tcp --dport 80 -m string \
--string "/boaform/formCountrystr" --algo bm -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
