CVE-2025-0528
Published: 17 January 2025
Summary
CVE-2025-0528 is a high-severity Injection (CWE-74) vulnerability in Tenda Ac8 Firmware. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A command injection vulnerability exists in the HTTP Request Handler component of Tenda AC8, AC10, and AC18 routers running firmware 16.03.10.20. The flaw resides in the /goform/telnet endpoint, where unsanitized input allows arbitrary command execution. It is tracked as CVE-2025-0528, carries a CVSS 4.0 score of 8.6, and maps to CWE-74, CWE-77, and CWE-78.
An attacker with high privileges can send a crafted HTTP request to the affected endpoint from a remote network position. Successful exploitation grants the ability to execute operating-system commands, resulting in full control over confidentiality, integrity, and availability of the device without requiring user interaction.
Public exploit code has been released, and the EPSS score rose from a low baseline to a peak of 0.0559 on 2025-12-11 before receding to its current value of 0.0124, indicating measurable post-disclosure interest. Vendor advisories and the referenced Tenda site provide no specific mitigation guidance in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-1737
Vulnerability details
A vulnerability, which was classified as critical, has been found in Tenda AC8, AC10 and AC18 16.03.10.20. Affected by this issue is some unknown functionality of the file /goform/telnet of the component HTTP Request Handler. The manipulation leads to command…
more
injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection via HTTP on public-facing router web interface (T1190) enables execution of arbitrary commands on the network device CLI (T1059.008) through indirect command execution (T1202).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring timely identification, reporting, and patching of the command injection flaw in the Tenda router firmware.
Prevents exploitation of the command injection vulnerability by enforcing input validation mechanisms on HTTP requests to the /goform/telnet endpoint.
Limits the impact of the PR:H requirement by enforcing least privilege, reducing the number of accounts able to access and exploit the vulnerable HTTP handler.