CVE-2025-22949

CriticalPublic PoC

Published: 10 January 2025

Published

10 January 2025

Modified

09 April 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0823 92.2th percentile

Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Description

Tenda ac9 v1.0 firmware v15.03.05.19 is vulnerable to command injection in /goform/SetSambaCfg, which may lead to remote arbitrary code execution.

Security Summary

CVE-2025-22949 is a command injection vulnerability (CWE-77) affecting the Tenda AC9 v1.0 router running firmware version v15.03.05.19. The flaw resides in the /goform/SetSambaCfg endpoint, where insufficient input validation allows attackers to inject and execute arbitrary operating system commands. Published on 2025-01-10, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.

Remote attackers can exploit this vulnerability over the network without authentication or user interaction. By sending a specially crafted HTTP request to the vulnerable endpoint, an unauthenticated adversary gains the ability to execute arbitrary code on the device, potentially leading to full remote code execution (RCE) and complete compromise of the router.

For mitigation details, refer to the advisory at https://noisy-caravel-a9a.notion.site/Tenda_AC9V1-0_V15-03-05-19_formSetSambaConf_doSystemCmd_CI-16f898c94eac80d5801bdaf777ac2b27, which documents the command injection in the doSystemCmd function.

Details

CWE(s): CWE-77

Affected Products

tenda

ac9 firmware

15.03.05.19

References

https://noisy-caravel-a9a.notion.site/Tenda_AC9V1-0_V15-03-05-19_formSetSambaConf_doSystemCmd_CI-16f898c94eac80d5801bdaf777ac2b27
Exploit, Third Party Advisory · cve@mitre.org