CVE-2025-1819
Published: 02 March 2025
Description
A vulnerability, which was classified as critical, was found in Tenda AC7 1200M 15.03.06.44. Affected is the function TendaTelnet of the file /goform/telnet. The manipulation of the argument lan_ip leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Security Summary
CVE-2025-1819 is a critical vulnerability in Tenda AC7 1200M routers running firmware version 15.03.06.44. It affects the TendaTelnet function within the /goform/telnet file, where manipulation of the lan_ip argument enables OS command injection, classified under CWEs-77 and CWE-78.
The vulnerability allows remote exploitation (AV:N) with low attack complexity (AC:L) by users possessing low privileges (PR:L), requiring no user interaction (UI:N) and maintaining unchanged scope (S:U). Successful attacks result in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), yielding a CVSS v3.1 base score of 6.3.
Advisories reference a GitHub repository containing the disclosed exploit for Tenda AC7 V15.03.06.44 command injection, along with VulDB entries at ctiid.298092, id.298092, and submit.504429, plus the official Tenda website at tenda.com.cn. The exploit has been publicly disclosed and may be used.
Details
- CWE(s)