CVE-2025-0528

HighPublic PoCRCE

Published: 17 January 2025

Published

17 January 2025

Modified

28 May 2025

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0092 76.0th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0528 is a high-severity Injection (CWE-74) vulnerability in Tenda Ac8 Firmware. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring timely identification, reporting, and patching of the command injection flaw in the Tenda router firmware.

SI-10 Information Input Validation good match

prevent

Prevents exploitation of the command injection vulnerability by enforcing input validation mechanisms on HTTP requests to the /goform/telnet endpoint.

AC-6 Least Privilege partial match

prevent

Limits the impact of the PR:H requirement by enforcing least privilege, reducing the number of accounts able to access and exploit the vulnerable HTTP handler.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

T1202 Indirect Command Execution Stealth

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

attack.mitre.org →

Why these techniques?

Command injection via HTTP on public-facing router web interface (T1190) enables execution of arbitrary commands on the network device CLI (T1059.008) through indirect command execution (T1202).

NVD Description

A vulnerability, which was classified as critical, has been found in Tenda AC8, AC10 and AC18 16.03.10.20. Affected by this issue is some unknown functionality of the file /goform/telnet of the component HTTP Request Handler. The manipulation leads to command…

injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Deeper analysisAI

CVE-2025-0528 is a critical command injection vulnerability (CVSS 7.2, CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) affecting Tenda AC8, AC10, and AC18 routers on firmware version 16.03.10.20. The flaw impacts an unknown functionality in the /goform/telnet endpoint of the HTTP Request Handler component, stemming from CWE-74 (Improper Neutralization of Special Elements), CWE-77 (Command Injection), and CWE-78 (OS Command Injection).

A remote attacker with high privileges (PR:H) can exploit the vulnerability by manipulating HTTP requests to the affected endpoint, enabling arbitrary command execution without user interaction. Exploitation results in high impacts across confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing full device compromise such as unauthorized access, data exfiltration, or persistent control.

Advisories from VulDB and a public GitHub repository detail the issue, confirming remote exploitability and providing a proof-of-concept in the form of a Markdown write-up for Tenda AC10 v16.03.10.20 telnet access. The Tenda vendor website is referenced for potential updates, though no specific patches are detailed in the available information; practitioners should monitor these sources for mitigation guidance.

Details

CWE(s): CWE-74 CWE-77 CWE-78

Affected Products

tenda

ac8 firmware

16.03.10.20

tenda

ac10 firmware

16.03.10.20

tenda

ac18 firmware

16.03.10.20

CVEs Like This One

CVE-2025-11121Same product: Tenda Ac18

CVE-2025-10442Same vendor: Tenda

CVE-2026-31255Same product: Tenda Ac18

CVE-2026-4253Same product: Tenda Ac8

CVE-2026-5547Same product: Tenda Ac10

CVE-2026-4554Same vendor: Tenda

CVE-2025-7415Same vendor: Tenda

CVE-2025-9090Same vendor: Tenda

CVE-2026-5153Same vendor: Tenda

CVE-2025-15048Same vendor: Tenda

References

https://github.com/Pr0b1em/IoT/blob/master/TendaAC10v16.03.10.20telnet.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.292412
Permissions Required, Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.292412
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.478175
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com
https://github.com/Pr0b1em/IoT/blob/master/TendaAC10v16.03.10.20telnet.md
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0