CVE-2025-10442
Published: 15 September 2025
Summary
CVE-2025-10442 is a low-severity Command Injection (CWE-77) vulnerability in Tenda Ac9 Firmware. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A vulnerability has been identified in Tenda AC9 and AC15 routers running firmware version 15.03.05.14. It resides in the formexeCommand function of the /goform/exeCommand endpoint, where improper handling of the cmdinput argument permits OS command injection. The issue is tracked under CWE-77 and CWE-78 and carries a CVSS 4.0 score of 2.1.
Remote attackers who possess a low-privileged account can supply crafted input to execute arbitrary operating-system commands on the device. Successful exploitation yields limited effects on confidentiality, integrity, and availability of the affected router, with no impact on surrounding systems.
Public references include proof-of-concept code and technical details hosted on GitHub together with entries in the Vuldb database; none of the listed sources describe vendor patches or mitigation steps.
The exploit has been publicly disclosed, yet the EPSS score remains flat at 0.0113 with no observed increase since publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-29169
Vulnerability details
A vulnerability was determined in Tenda AC9 and AC15 15.03.05.14. This affects the function formexeCommand of the file /goform/exeCommand. This manipulation of the argument cmdinput causes os command injection. Remote exploitation of the attack is possible. The exploit has been…
more
publicly disclosed and may be utilized.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection via remote web endpoint (public-facing application) enables T1190 (Exploit Public-Facing Application), facilitates network device command execution (T1059.008), and indirect command execution (T1202, as cited in advisory).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the cmdinput argument before it reaches formexeCommand, blocking OS command injection at the root cause.
Limits the privileges of the authenticated session so that any injected commands via exeCommand can only affect a reduced set of OS functions and data.
Mandates timely patching or firmware updates that eliminate the unsanitized cmdinput path in /goform/exeCommand on Tenda AC9/AC15 devices.