Cyber Resilience

CVE-2025-10442

LowPublic PoC

Published: 15 September 2025

Published
15 September 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0129 80.0th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10442 is a low-severity Command Injection (CWE-77) vulnerability in Tenda Ac9 Firmware. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A vulnerability has been identified in Tenda AC9 and AC15 routers running firmware version 15.03.05.14. It resides in the formexeCommand function of the /goform/exeCommand endpoint, where improper handling of the cmdinput argument permits OS command injection. The issue is tracked under CWE-77 and CWE-78 and carries a CVSS 4.0 score of 2.1.

Remote attackers who possess a low-privileged account can supply crafted input to execute arbitrary operating-system commands on the device. Successful exploitation yields limited effects on confidentiality, integrity, and availability of the affected router, with no impact on surrounding systems.

Public references include proof-of-concept code and technical details hosted on GitHub together with entries in the Vuldb database; none of the listed sources describe vendor patches or mitigation steps.

The exploit has been publicly disclosed, yet the EPSS score remains flat at 0.0113 with no observed increase since publication.

EU & UK References

Vulnerability details

A vulnerability was determined in Tenda AC9 and AC15 15.03.05.14. This affects the function formexeCommand of the file /goform/exeCommand. This manipulation of the argument cmdinput causes os command injection. Remote exploitation of the attack is possible. The exploit has been…

more

publicly disclosed and may be utilized.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Why these techniques?

OS command injection via remote web endpoint (public-facing application) enables T1190 (Exploit Public-Facing Application), facilitates network device command execution (T1059.008), and indirect command execution (T1202, as cited in advisory).

CVEs Like This One

CVE-2025-10443Same product: Tenda Ac15
CVE-2025-25632Same product: Tenda Ac15
CVE-2025-22949Same product: Tenda Ac9
CVE-2026-24101Same product: Tenda Ac15
CVE-2025-0528Same vendor: Tenda
CVE-2026-24105Same product: Tenda Ac15
CVE-2025-1819Same vendor: Tenda
CVE-2025-7414Same vendor: Tenda
CVE-2025-22946Same product: Tenda Ac9
CVE-2025-11387Same product: Tenda Ac15

Affected Assets

tenda
ac9 firmware
15.03.05.14
tenda
ac15 firmware
15.03.05.14

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the cmdinput argument before it reaches formexeCommand, blocking OS command injection at the root cause.

prevent

Limits the privileges of the authenticated session so that any injected commands via exeCommand can only affect a reduced set of OS functions and data.

prevent

Mandates timely patching or firmware updates that eliminate the unsanitized cmdinput path in /goform/exeCommand on Tenda AC9/AC15 devices.

References