CVE-2025-25675
Published: 20 February 2025
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2025-25675 is a command injection vulnerability affecting the Tenda AC10 V1.0 router running firmware version V15.03.06.23. The flaw is located in the formexeCommand function, where the str variable directly receives user input from the cmdinput parameter in a POST request. This input is then assigned to the cmd_buf variable and passed without sanitization to the doSystemCmd function, enabling arbitrary command execution on the device.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical. Remote attackers require no authentication or user interaction and can exploit it over the network with low complexity. Successful exploitation grants attackers arbitrary command execution, allowing full compromise of the router, including data exfiltration, modification of configurations, or further network pivoting.
Details on the vulnerability, including proof-of-concept exploitation, are available in the GitHub repository at https://github.com/jangfan/my-vuln/blob/main/Tenda/AC10V1/formexeCommand.md. No vendor advisories or patches are referenced in the available information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes an unauthenticated remote command injection in the web interface (formexeCommand) of a Tenda router that passes unsanitized input to doSystemCmd, directly enabling exploitation of a public-facing application (T1190) and arbitrary command execution via Unix Shell on the embedded Linux firmware (T1059.004).