📄 Description (English)
A security flaw has been discovered in Tenda HG3 2.0 300003070. This vulnerability affects the function formgponConf of the file /boaform/admin/formgponConf. The manipulation of the argument fmgpon_loid results in os command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
🤖 AI Executive Summary
A critical OS command injection vulnerability exists in Tenda HG3 2.0 firmware (version 300003070) affecting the /boaform/admin/formgponConf endpoint. The fmgpon_loid parameter is improperly sanitized, allowing unauthenticated remote attackers to execute arbitrary system commands with device privileges. With public exploit availability and no patch currently available, this poses immediate risk to organizations using this router model.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 30, 2026 21:42
🇸🇦 Saudi Arabia Impact Assessment
Saudi telecommunications operators (STC, Mobily, Zain) and ISPs utilizing Tenda HG3 devices for customer premises equipment (CPE) are at significant risk. Government agencies and critical infrastructure operators using these routers for network access face potential compromise of internal networks. Banking sector organizations with branch connectivity through affected devices could experience unauthorized access to financial systems. Healthcare facilities relying on these routers for network infrastructure may face service disruption and data breach risks. The vulnerability enables complete device takeover, potentially allowing lateral movement into connected networks.
🏢 Affected Saudi Sectors
Telecommunications (STC, Mobily, Zain)
Internet Service Providers
Banking and Financial Services
Government and Public Administration
Healthcare
Energy and Utilities
Education
Retail and E-commerce
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify and inventory all Tenda HG3 devices running firmware version 300003070 across your organization
2. Isolate affected devices from critical network segments if possible, or implement network segmentation
3. Restrict administrative access to the /boaform/admin/formgponConf endpoint using firewall rules
4. Monitor for suspicious command execution patterns on affected devices
COMPENSATING CONTROLS (until patch available):
5. Implement Web Application Firewall (WAF) rules to block requests containing shell metacharacters (|, ;, &, $, `, >, <) in the fmgpon_loid parameter
6. Disable remote management features if not required; restrict admin access to trusted IP ranges only
7. Change default credentials on all affected devices immediately
8. Enable logging and monitoring of /boaform/admin/ endpoint access
DETECTION RULES:
- Monitor for HTTP POST requests to /boaform/admin/formgponConf with fmgpon_loid parameter containing: pipe (|), semicolon (;), ampersand (&), backtick (`), dollar sign ($), or command substitution syntax
- Alert on any process execution initiated from web server processes (boa/httpd) on affected devices
- Track failed authentication attempts followed by successful command injection attempts
PATCHING STRATEGY:
9. Contact Tenda support for firmware updates; check vendor website regularly for patches
10. Prepare upgrade procedure and test in lab environment before production deployment
11. Establish timeline for device replacement if patches are not released within 30 days
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد وحصر جميع أجهزة Tenda HG3 التي تعمل بإصدار البرنامج الثابت 300003070 عبر مؤسستك
2. عزل الأجهزة المتأثرة عن قطاعات الشبكة الحرجة إن أمكن، أو تطبيق تقسيم الشبكة
3. تقييد الوصول الإداري إلى نقطة النهاية /boaform/admin/formgponConf باستخدام قواعد جدار الحماية
4. مراقبة أنماط تنفيذ الأوامر المريبة على الأجهزة المتأثرة
الضوابط البديلة (حتى توفر التصحيح):
5. تطبيق قواعد جدار تطبيقات الويب (WAF) لحجب الطلبات التي تحتوي على أحرف shell (|، ;، &، $، `، >، <) في معامل fmgpon_loid
6. تعطيل ميزات الإدارة البعيدة إذا لم تكن مطلوبة؛ تقييد الوصول الإداري على نطاقات IP موثوقة فقط
7. تغيير بيانات الاعتماد الافتراضية على جميع الأجهزة المتأثرة فوراً
8. تفعيل تسجيل ومراقبة الوصول إلى نقطة النهاية /boaform/admin/
قواعد الكشف:
- مراقبة طلبات HTTP POST إلى /boaform/admin/formgponConf مع معامل fmgpon_loid يحتوي على: أنبوب (|)، فاصلة منقوطة (;)، علامة العطف (&)، علامة خلفية (`)، علامة دولار ($)، أو بناء جملة استبدال الأوامر
- تنبيه عند تنفيذ أي عملية بدأت من عمليات خادم الويب (boa/httpd) على الأجهزة المتأثرة
- تتبع محاولات المصادقة الفاشلة متبوعة بمحاولات حقن أوامر ناجحة
استراتيجية التصحيح:
9. الاتصال بدعم Tenda للحصول على تحديثات البرنامج الثابت؛ تحقق من موقع البائع بانتظام للحصول على التصحيحات
10. تحضير إجراء الترقية واختباره في بيئة المختبر قبل نشره في الإنتاج
11. وضع جدول زمني لاستبدال الجهاز إذا لم يتم إصدار التصحيحات خلال 30 يوماً
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 - 5.1.1: Access Control - Unauthorized command execution violates access control requirements
ECC 2024 - 5.2.1: Authentication - Remote unauthenticated exploitation indicates authentication bypass
ECC 2024 - 5.3.1: Encryption - Device compromise may lead to unencrypted data exposure
ECC 2024 - 6.1.1: Vulnerability Management - Unpatched critical vulnerability violates patch management requirements
🔵 SAMA CSF
Governance & Risk Management - GRM-01: Risk assessment and management of critical infrastructure devices
Information Security - IS-01: Access control and authentication mechanisms
Information Security - IS-04: Vulnerability and patch management
Operational Resilience - OR-02: Incident detection and response capabilities
🟡 ISO 27001:2022
A.5.15: Access Control - Restriction of access to information and information processing facilities
A.5.16: Authentication - User identification and authentication mechanisms
A.6.5: Supplier Relationships - Security requirements for third-party devices and services
A.8.1: Asset Management - Inventory and control of assets including network devices
A.8.6: Vulnerability Management - Identification, evaluation, and remediation of vulnerabilities
🟣 PCI DSS v4.0.1
Requirement 1.1: Firewall configuration standards - Network segmentation of affected devices
Requirement 2.1: Default security parameters - Change default credentials on affected devices
Requirement 6.2: Security patches - Vulnerability remediation and patch management
Requirement 11.2: Vulnerability scanning - Regular scanning for exploitation attempts
🔗 References & Sources 5
🔗
https://vuldb.com/submit/800796
cna@vuldb.com
Third Party Advisory
VDB Entry
🔗
https://vuldb.com/vuln/359671
cna@vuldb.com
Third Party Advisory
VDB Entry
🔗
https://vuldb.com/vuln/359671/cti
cna@vuldb.com
Permissions Required
VDB Entry
🔗
https://www.notion.so/Tenda-HG3-3250c75766a880c7b50fde0466557c5f
cna@vuldb.com
Exploit
Third Party Advisory
🔗
https://www.tenda.com.cn/
cna@vuldb.com
Product
📦 Affected Products / CPE 1 entries
tenda:hg3_firmware:300003070