Cyber Resilience

CVE-2025-0528

HighPublic PoCRCE

Published: 17 January 2025

Published
17 January 2025
Modified
28 May 2025
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0124 79.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0528 is a high-severity Injection (CWE-74) vulnerability in Tenda Ac8 Firmware. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A command injection vulnerability exists in the HTTP Request Handler component of Tenda AC8, AC10, and AC18 routers running firmware 16.03.10.20. The flaw resides in the /goform/telnet endpoint, where unsanitized input allows arbitrary command execution. It is tracked as CVE-2025-0528, carries a CVSS 4.0 score of 8.6, and maps to CWE-74, CWE-77, and CWE-78.

An attacker with high privileges can send a crafted HTTP request to the affected endpoint from a remote network position. Successful exploitation grants the ability to execute operating-system commands, resulting in full control over confidentiality, integrity, and availability of the device without requiring user interaction.

Public exploit code has been released, and the EPSS score rose from a low baseline to a peak of 0.0559 on 2025-12-11 before receding to its current value of 0.0124, indicating measurable post-disclosure interest. Vendor advisories and the referenced Tenda site provide no specific mitigation guidance in the available references.

EU & UK References

Vulnerability details

A vulnerability, which was classified as critical, has been found in Tenda AC8, AC10 and AC18 16.03.10.20. Affected by this issue is some unknown functionality of the file /goform/telnet of the component HTTP Request Handler. The manipulation leads to command…

more

injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Why these techniques?

Command injection via HTTP on public-facing router web interface (T1190) enables execution of arbitrary commands on the network device CLI (T1059.008) through indirect command execution (T1202).

CVEs Like This One

CVE-2025-11121Same product: Tenda Ac18
CVE-2026-31255Same product: Tenda Ac18
CVE-2025-10442Same vendor: Tenda
CVE-2026-4253Same product: Tenda Ac8
CVE-2026-5547Same product: Tenda Ac10
CVE-2026-4554Same vendor: Tenda
CVE-2025-9090Same vendor: Tenda
CVE-2025-7415Same vendor: Tenda
CVE-2026-1689Same vendor: Tenda
CVE-2025-15048Same vendor: Tenda

Affected Assets

tenda
ac8 firmware
16.03.10.20
tenda
ac10 firmware
16.03.10.20
tenda
ac18 firmware
16.03.10.20

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely identification, reporting, and patching of the command injection flaw in the Tenda router firmware.

prevent

Prevents exploitation of the command injection vulnerability by enforcing input validation mechanisms on HTTP requests to the /goform/telnet endpoint.

prevent

Limits the impact of the PR:H requirement by enforcing least privilege, reducing the number of accounts able to access and exploit the vulnerable HTTP handler.

References