CVE-2025-0528
Published: 17 January 2025
Description
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Security Summary
CVE-2025-0528 is a critical command injection vulnerability (CVSS 7.2, CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) affecting Tenda AC8, AC10, and AC18 routers on firmware version 16.03.10.20. The flaw impacts an unknown functionality in the /goform/telnet endpoint of the HTTP Request Handler component, stemming from CWE-74 (Improper Neutralization of Special Elements), CWE-77 (Command Injection), and CWE-78 (OS Command Injection).
A remote attacker with high privileges (PR:H) can exploit the vulnerability by manipulating HTTP requests to the affected endpoint, enabling arbitrary command execution without user interaction. Exploitation results in high impacts across confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing full device compromise such as unauthorized access, data exfiltration, or persistent control.
Advisories from VulDB and a public GitHub repository detail the issue, confirming remote exploitability and providing a proof-of-concept in the form of a Markdown write-up for Tenda AC10 v16.03.10.20 telnet access. The Tenda vendor website is referenced for potential updates, though no specific patches are detailed in the available information; practitioners should monitor these sources for mitigation guidance.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Command injection via HTTP on public-facing router web interface (T1190) enables execution of arbitrary commands on the network device CLI (T1059.008) through indirect command execution (T1202).