MEDIUMCVE-2026-4253CVSS 4.7

Tenda AC8 Web UploadCfg route_set_user_policy_rule os command injection

Platform

tenda

Component

tenda_ac8_v5

AI Confidence: highNVDEPSS 0.4%

A security flaw has been discovered in Tenda AC8 16.03.50.11. This affects the function routesetuserpolicyrule of the file /cgi-bin/UploadCfg of the component Web Interface. The manipulation of the argument wans.policy.list1 results in os command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.38% (59% percentile)

CISA SSVC

Exploitationpoc

Automatableno

Technical Impactpartial

CVSS Vector

Affected Software

Componenttenda_ac8_v5

VendorTenda

Affected rangeFixed in

16.03.50.11 – 16.03.50.11—

Weakness Classification (CWE)

CWE-78 CWE-77

Timeline

Reserved2026-03-16
Published2026-03-16
EPSS updated2026-03-24

Unpatched — 69 days since disclosure

How to fix

Actualice el firmware del router Tenda AC8 a una versión posterior a 16.03.50.11 para mitigar la vulnerabilidad de inyección de comandos. Consulte el sitio web del fabricante para obtener la última versión del firmware y las instrucciones de actualización.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.