{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/hg3-2.0-300003070/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7096"}],"_cs_exploited":false,"_cs_products":["HG3 2.0 300003070"],"_cs_severities":["critical"],"_cs_tags":["command-injection","router","tenda"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eA critical command injection vulnerability, identified as CVE-2026-7096, affects Tenda HG3 2.0 300003070 routers. The vulnerability resides in the \u0026lsquo;formgponConf\u0026rsquo; function within the \u0026lsquo;/boaform/admin/formgponConf\u0026rsquo; file. An attacker can exploit this flaw by manipulating the \u0026lsquo;fmgpon_loid\u0026rsquo; argument. Successful exploitation allows a remote attacker to execute arbitrary operating system commands on the affected device. Given the public availability of an exploit, Tenda HG3 devices are at immediate risk of compromise. This poses a significant threat as attackers can potentially gain full control of the router, compromise connected networks, and exfiltrate sensitive information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Tenda HG3 2.0 300003070 router with an exposed web interface.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u0026lsquo;/boaform/admin/formgponConf\u0026rsquo; endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a payload containing OS commands into the \u0026lsquo;fmgpon_loid\u0026rsquo; parameter of the POST request.\u003c/li\u003e\n\u003cli\u003eThe Tenda HG3 router\u0026rsquo;s web server processes the request without proper input validation of the \u0026lsquo;fmgpon_loid\u0026rsquo; parameter.\u003c/li\u003e\n\u003cli\u003eThe injected OS command is executed by the router\u0026rsquo;s operating system with the privileges of the web server process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote code execution on the Tenda HG3 router.\u003c/li\u003e\n\u003cli\u003eThe attacker may establish a reverse shell to maintain persistent access or download further malicious payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker can then pivot to internal networks, exfiltrate data, or use the compromised router for other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7096 grants attackers the ability to execute arbitrary OS commands on the Tenda HG3 router. This can lead to complete compromise of the device, allowing attackers to modify router settings, intercept network traffic, and potentially gain access to connected devices on the local network. Given the widespread use of Tenda routers in home and small business environments, a successful attack could impact thousands of users. The vulnerability\u0026rsquo;s high CVSS score of 8.8 underscores the severity and potential for widespread damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Tenda HG3 Command Injection Attempt\u0026rdquo; to your SIEM to identify exploitation attempts by monitoring HTTP POST requests to \u0026lsquo;/boaform/admin/formgponConf\u0026rsquo; with suspicious commands in the \u0026lsquo;fmgpon_loid\u0026rsquo; parameter.\u003c/li\u003e\n\u003cli\u003eImplement network intrusion detection system (NIDS) rules to detect malicious payloads in HTTP POST requests targeting the vulnerable endpoint, as described in the \u0026ldquo;Attack Chain\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eWhile no specific IOCs are provided, analyze network traffic and web server logs for unusual activity originating from or targeting Tenda HG3 routers.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP POST requests to /boaform/admin/formgponConf (described in Attack Chain step 2).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-tenda-hg3-command-injection/","summary":"A command injection vulnerability (CVE-2026-7096) exists in the Tenda HG3 2.0 300003070 router, allowing remote attackers to execute arbitrary OS commands by manipulating the 'fmgpon_loid' argument in the 'formgponConf' function of the '/boaform/admin/formgponConf' file due to insufficient input validation.","title":"Tenda HG3 Router Command Injection Vulnerability (CVE-2026-7096)","url":"https://feed.craftedsignal.io/briefs/2024-01-tenda-hg3-command-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — HG3 2.0 300003070","version":"https://jsonfeed.org/version/1.1"}