CVE-2025-11523
Published: 09 October 2025
Summary
CVE-2025-11523 is a medium-severity Injection (CWE-74) vulnerability in Tenda Ac7 Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents command injection in the lanIp argument by validating and sanitizing inputs to the /goform/AdvSetLanip endpoint.
Requires timely patching of the specific command injection flaw in Tenda AC7 firmware version 15.03.06.44.
Enables detection of the CVE-2025-11523 vulnerability through regular scanning of exposed Tenda AC7 routers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote command injection in the public-facing web management interface (/goform/AdvSetLanip) of the Tenda AC7 router, enabling exploitation of a public-facing application (T1190) and indirect command execution via injected commands in the lanIp parameter (T1202).
NVD Description
A vulnerability was detected in Tenda AC7 15.03.06.44. This vulnerability affects unknown code of the file /goform/AdvSetLanip. The manipulation of the argument lanIp results in command injection. It is possible to launch the attack remotely. The exploit is now public…
more
and may be used.
Deeper analysisAI
CVE-2025-11523 is a command injection vulnerability affecting the Tenda AC7 router on firmware version 15.03.06.44. The flaw exists in unknown code within the /goform/AdvSetLanip file, where manipulation of the lanIp argument enables command injection. Published on 2025-10-09, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and is linked to CWE-74 (Improper Neutralization of Special Elements) and CWE-77 (Command Injection).
Attackers can exploit this vulnerability remotely over the network with low complexity and low privileges, such as those of an authenticated user, requiring no user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling arbitrary command execution on the device.
Advisories and exploit details are documented on VulDB (https://vuldb.com/?ctiid.327661, https://vuldb.com/?id.327661, https://vuldb.com/?submit.669849) and a public proof-of-concept is available on GitHub (https://github.com/noahze01/IoT-vulnerable/blob/main/Tenda/AC7/AdvSetLanip.md). The vendor site (https://www.tenda.com.cn/) provides general product information, but no specific patch or mitigation details are outlined in the references.
The exploit is now public and may be used, posing an elevated risk to unpatched Tenda AC7 devices exposed to the internet.
Details
- CWE(s)