Tenda HG3 Router Command Injection (CVE-2026-7160) Exposes Networks
A critical command injection vulnerability, CVE-2026-7160, has been identified in Tenda HG3 2.0 routers, according to the National Vulnerability Database. This flaw resides within the formTracert function of the /boaform/formTracert file. Attackers can exploit this by manipulating the datasize argument, leading to remote command execution.
The National Vulnerability Database has assigned CVE-2026-7160 a CVSS score of 8.8 (High severity), highlighting the significant risk. The attack can be performed remotely, and an exploit has already been publicly disclosed, meaning adversaries are likely already leveraging this. This isn’t theoretical; it’s an immediate threat.
For defenders, this is a clear call to action. Unpatched Tenda HG3 routers are a wide-open door. The ease of exploitation via a publicly available exploit means these devices will be quickly swept up into botnets or used as initial access points for more targeted operations. Don’t assume your edge devices are secure just because they’re ‘off the main network.’
What This Means For You
- If your organization uses Tenda HG3 2.0 routers, you are directly exposed to remote command injection via CVE-2026-7160. Immediately identify these devices within your network perimeter. Given the public exploit, assume compromise and audit logs for suspicious activity originating from or targeting these devices. Prioritize patching or isolating these routers until a fix is available.
Related ATT&CK Techniques
🛡️ Detection Rules
5 rules · 6 SIEM formats5 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Web Application Exploitation Attempt — CVE-2026-7160
title: Web Application Exploitation Attempt — CVE-2026-7160
id: scw-2026-04-27-1
status: experimental
level: high
description: |
Detects common exploitation patterns targeting web applications. Review CVE-2026-7160 advisories for specific indicators.
author: SCW Feed Engine (auto-generated)
date: 2026-04-27
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7160/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '..'
- 'SELECT'
- 'UNION'
- '<script'
- 'cmd='
- '/etc/passwd'
condition: selection
falsepositives:
- Legitimate activity from CVE-2026-7160
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7160 | Command Injection | Tenda HG3 2.0 |
| CVE-2026-7160 | Command Injection | /boaform/formTracert |
| CVE-2026-7160 | Command Injection | function formTracert |
| CVE-2026-7160 | Command Injection | argument datasize |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 28, 2026 at 01:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7199: SQL Injection in Pharmacy Sales and Inventory System
CVE-2026-7199 — A vulnerability was detected in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this vulnerability is an unknown functionality of the file...
CVE-2026-7196 — CodeAstro Online Classroom SQL Injection
CVE-2026-7196 — A security vulnerability has been detected in CodeAstro Online Classroom 1.0. Affected is an unknown function of the file /guestdetails. Such manipulation of...
CVE-2026-41372 — OpenClaw before 2026.4.2 fails to normalize trailing-dot
CVE-2026-41372 — OpenClaw before 2026.4.2 fails to normalize trailing-dot localhost hosts in remote CDP discovery responses, allowing bypass of loopback protections. Attackers can craft hostile...