Cyber Resilience

CVE-2025-11523

LowPublic PoC

Published: 09 October 2025

Published
09 October 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0099 77.3th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11523 is a low-severity Injection (CWE-74) vulnerability in Tenda Ac7 Firmware. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A vulnerability has been identified in Tenda AC7 firmware version 15.03.06.44 within the /goform/AdvSetLanip endpoint. Manipulation of the lanIp argument allows command injection, classified under CWE-74 and CWE-77. The issue can be triggered remotely and carries a CVSS 4.0 score of 2.1, reflecting limited impact combined with low attack complexity.

An authenticated attacker with low privileges can supply crafted input to the lanIp parameter and execute arbitrary commands on the device. Public proof-of-concept code is available that demonstrates remote exploitation without user interaction.

The exploit has been published on GitHub and referenced in vulnerability databases, though no vendor advisory or patch information is provided in the available references. The associated EPSS score remains low, with a current value of 0.0099 and a peak of 0.0104.

EU & UK References

Vulnerability details

A vulnerability was detected in Tenda AC7 15.03.06.44. This vulnerability affects unknown code of the file /goform/AdvSetLanip. The manipulation of the argument lanIp results in command injection. It is possible to launch the attack remotely. The exploit is now public…

more

and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Why these techniques?

The vulnerability is a remote command injection in the public-facing web management interface (/goform/AdvSetLanip) of the Tenda AC7 router, enabling exploitation of a public-facing application (T1190) and indirect command execution via injected commands in the lanIp parameter (T1202).

CVEs Like This One

CVE-2025-1819Same product: Tenda Ac7
CVE-2025-8017Same product: Tenda Ac7
CVE-2025-29137Same product: Tenda Ac7
CVE-2025-1851Same product: Tenda Ac7
CVE-2025-11528Same product: Tenda Ac7
CVE-2025-11525Same product: Tenda Ac7
CVE-2025-11527Same product: Tenda Ac7
CVE-2025-11586Same product: Tenda Ac7
CVE-2025-29135Same product: Tenda Ac7
CVE-2025-11526Same product: Tenda Ac7

Affected Assets

tenda
ac7 firmware
15.03.06.44

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the lanIp argument in /goform/AdvSetLanip to block command injection payloads.

prevent

Mandates timely remediation of the known command-injection flaw in Tenda AC7 firmware 15.03.06.44 once a patch is issued.

prevent

Restricts remote network access to the router's management interface, reducing the attack surface for the publicly disclosed exploit.

References