Tenda HG3 Router OS Command Injection (CVE-2026-7119)
A critical OS command injection vulnerability, tracked as CVE-2026-7119, has been identified in the Tenda HG3 2.0 router. According to the National Vulnerability Database, the flaw resides in an unspecified function within the /boaform/formCountrystr file. Manipulation of the countrystr argument allows for remote command injection.
This vulnerability carries a CVSSv3.1 score of 8.8 (HIGH), indicating severe risk. The National Vulnerability Database states that the attack can be executed remotely, and an exploit is publicly available. This significantly lowers the bar for attackers, enabling widespread exploitation against unpatched devices.
For defenders, this means Tenda HG3 2.0 routers are exposed to immediate compromise if not secured. Attackers can leverage this to gain full control over affected devices, potentially pivoting into internal networks. The lack of specificity on affected products from the National Vulnerability Database means CISOs should assume all Tenda HG3 2.0 units are vulnerable.
What This Means For You
- If your organization uses Tenda HG3 2.0 routers, you must assume they are compromised or imminently at risk. Immediately isolate these devices from critical networks, patch them if a fix is available (though none is specified yet), and hunt for any suspicious activity or unauthorized access attempts. This isn't theoretical — public exploits mean active targeting is inevitable.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Tenda HG3 OS Command Injection via formCountrystr - CVE-2026-7119
title: Tenda HG3 OS Command Injection via formCountrystr - CVE-2026-7119
id: scw-2026-04-27-ai-1
status: experimental
level: critical
description: |
Detects the specific path and parameter used in the Tenda HG3 OS Command Injection vulnerability (CVE-2026-7119). The vulnerability allows remote attackers to inject OS commands by manipulating the 'countrystr' parameter within the '/boaform/formCountrystr' endpoint.
author: SCW Feed Engine (AI-generated)
date: 2026-04-27
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7119/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/boaform/formCountrystr'
cs-uri-query|contains:
- 'countrystr='
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7119 | Command Injection | Tenda HG3 2.0 |
| CVE-2026-7119 | Command Injection | /boaform/formCountrystr |
| CVE-2026-7119 | Command Injection | argument countrystr |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 27, 2026 at 15:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Totolink A8000RU Critical OS Command Injection (CVE-2026-7125)
CVE-2026-7125 — A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. Affected by this issue is the function setWiFiEasyCfg of the file /cgi-bin/cstecgi.cgi of the component...
CVE-2026-7124: Critical OS Command Injection in Totolink A8000RU Routers
CVE-2026-7124 — A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. Affected by this vulnerability is the function setIpv6LanCfg of the file /cgi-bin/cstecgi.cgi of the component...
CVE-2026-7123: Critical Command Injection in Totolink Routers Exposes Networks
CVE-2026-7123 — A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. Affected is the function setIptvCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing...