CVE-2025-11523
Published: 09 October 2025
Summary
CVE-2025-11523 is a low-severity Injection (CWE-74) vulnerability in Tenda Ac7 Firmware. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A vulnerability has been identified in Tenda AC7 firmware version 15.03.06.44 within the /goform/AdvSetLanip endpoint. Manipulation of the lanIp argument allows command injection, classified under CWE-74 and CWE-77. The issue can be triggered remotely and carries a CVSS 4.0 score of 2.1, reflecting limited impact combined with low attack complexity.
An authenticated attacker with low privileges can supply crafted input to the lanIp parameter and execute arbitrary commands on the device. Public proof-of-concept code is available that demonstrates remote exploitation without user interaction.
The exploit has been published on GitHub and referenced in vulnerability databases, though no vendor advisory or patch information is provided in the available references. The associated EPSS score remains low, with a current value of 0.0099 and a peak of 0.0104.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-33259
Vulnerability details
A vulnerability was detected in Tenda AC7 15.03.06.44. This vulnerability affects unknown code of the file /goform/AdvSetLanip. The manipulation of the argument lanIp results in command injection. It is possible to launch the attack remotely. The exploit is now public…
more
and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote command injection in the public-facing web management interface (/goform/AdvSetLanip) of the Tenda AC7 router, enabling exploitation of a public-facing application (T1190) and indirect command execution via injected commands in the lanIp parameter (T1202).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the lanIp argument in /goform/AdvSetLanip to block command injection payloads.
Mandates timely remediation of the known command-injection flaw in Tenda AC7 firmware 15.03.06.44 once a patch is issued.
Restricts remote network access to the router's management interface, reducing the attack surface for the publicly disclosed exploit.