HG3 2.0 300003070 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/hg3-2.0-300003070/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000Tenda HG3 Router Command Injection Vulnerability (CVE-2026-7096)https://feed.craftedsignal.io/briefs/2024-01-tenda-hg3-command-injection/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-tenda-hg3-command-injection/A command injection vulnerability (CVE-2026-7096) exists in the Tenda HG3 2.0 300003070 router, allowing remote attackers to execute arbitrary OS commands by manipulating the 'fmgpon_loid' argument in the 'formgponConf' function of the '/boaform/admin/formgponConf' file due to insufficient input validation.A critical command injection vulnerability, identified as CVE-2026-7096, affects Tenda HG3 2.0 300003070 routers. The vulnerability resides in the ‘formgponConf’ function within the ‘/boaform/admin/formgponConf’ file. An attacker can exploit this flaw by manipulating the ‘fmgpon_loid’ argument. Successful exploitation allows a remote attacker to execute arbitrary operating system commands on the affected device. Given the public availability of an exploit, Tenda HG3 devices are at immediate risk of compromise. This poses a significant threat as attackers can potentially gain full control of the router, compromise connected networks, and exfiltrate sensitive information.

Attack Chain

  1. The attacker identifies a vulnerable Tenda HG3 2.0 300003070 router with an exposed web interface.
  2. The attacker crafts a malicious HTTP POST request targeting the ‘/boaform/admin/formgponConf’ endpoint.
  3. The attacker injects a payload containing OS commands into the ‘fmgpon_loid’ parameter of the POST request.
  4. The Tenda HG3 router’s web server processes the request without proper input validation of the ‘fmgpon_loid’ parameter.
  5. The injected OS command is executed by the router’s operating system with the privileges of the web server process.
  6. The attacker gains remote code execution on the Tenda HG3 router.
  7. The attacker may establish a reverse shell to maintain persistent access or download further malicious payloads.
  8. The attacker can then pivot to internal networks, exfiltrate data, or use the compromised router for other malicious activities.

Impact

Successful exploitation of CVE-2026-7096 grants attackers the ability to execute arbitrary OS commands on the Tenda HG3 router. This can lead to complete compromise of the device, allowing attackers to modify router settings, intercept network traffic, and potentially gain access to connected devices on the local network. Given the widespread use of Tenda routers in home and small business environments, a successful attack could impact thousands of users. The vulnerability’s high CVSS score of 8.8 underscores the severity and potential for widespread damage.

Recommendation

  • Deploy the Sigma rule “Detect Tenda HG3 Command Injection Attempt” to your SIEM to identify exploitation attempts by monitoring HTTP POST requests to ‘/boaform/admin/formgponConf’ with suspicious commands in the ‘fmgpon_loid’ parameter.
  • Implement network intrusion detection system (NIDS) rules to detect malicious payloads in HTTP POST requests targeting the vulnerable endpoint, as described in the “Attack Chain” section.
  • While no specific IOCs are provided, analyze network traffic and web server logs for unusual activity originating from or targeting Tenda HG3 routers.
  • Monitor web server logs for HTTP POST requests to /boaform/admin/formgponConf (described in Attack Chain step 2).
]]>criticaladvisorycommand-injectionroutertenda