CVE-2025-11523
Published: 09 October 2025
Description
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Security Summary
CVE-2025-11523 is a command injection vulnerability (CWE-74, CWE-77) in Tenda AC7 routers running firmware version 15.03.06.44. The flaw affects unknown code in the /goform/AdvSetLanip file, where manipulation of the lanIp argument enables command injection. Published on 2025-10-09, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
An attacker with low privileges can exploit this vulnerability remotely without user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, such as executing arbitrary commands on the device.
VulDB advisories (ctiid.327661, id.327661) document the issue, and a proof-of-concept exploit is publicly available on GitHub at noahze01/IoT-vulnerable/blob/main/Tenda/AC7/AdvSetLanip.md. Security practitioners should monitor the Tenda website for firmware updates or mitigation guidance.
The public exploit increases the risk of real-world attacks against exposed Tenda AC7 devices.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a remote command injection in the public-facing web management interface (/goform/AdvSetLanip) of the Tenda AC7 router, enabling exploitation of a public-facing application (T1190) and indirect command execution via injected commands in the lanIp parameter (T1202).