Cyber Posture

CVE-2025-1819

Medium

Published: 02 March 2025

Published
02 March 2025
Modified
16 July 2025
KEV Added
Patch
CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0074 72.9th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1819 is a medium-severity Command Injection (CWE-77) vulnerability in Tenda Ac7 Firmware. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the OS command injection flaw in the TendaTelnet function by applying firmware patches or updates.

SI-10 Information Input Validation good match
prevent

Validates and sanitizes the lan_ip input parameter to block command injection manipulations in the /goform/telnet endpoint.

RA-5 Vulnerability Monitoring and Scanning good match
detect

Scans systems for the specific CVE-2025-1819 vulnerability in Tenda AC7 firmware to identify exploitable routers.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
attack.mitre.org →
Why these techniques?

Direct OS command injection in public-facing router web form (/goform/telnet) enables remote exploitation of the device (T1190) and arbitrary command execution via its CLI (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability, which was classified as critical, was found in Tenda AC7 1200M 15.03.06.44. Affected is the function TendaTelnet of the file /goform/telnet. The manipulation of the argument lan_ip leads to os command injection. It is possible to launch the…

more

attack remotely. The exploit has been disclosed to the public and may be used.

Deeper analysisAI

CVE-2025-1819 is a critical vulnerability in Tenda AC7 1200M routers running firmware version 15.03.06.44. It affects the TendaTelnet function within the /goform/telnet file, where manipulation of the lan_ip argument enables OS command injection, classified under CWEs-77 and CWE-78.

The vulnerability allows remote exploitation (AV:N) with low attack complexity (AC:L) by users possessing low privileges (PR:L), requiring no user interaction (UI:N) and maintaining unchanged scope (S:U). Successful attacks result in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), yielding a CVSS v3.1 base score of 6.3.

Advisories reference a GitHub repository containing the disclosed exploit for Tenda AC7 V15.03.06.44 command injection, along with VulDB entries at ctiid.298092, id.298092, and submit.504429, plus the official Tenda website at tenda.com.cn. The exploit has been publicly disclosed and may be used.

Details

CWE(s)
CWE-77CWE-78

Affected Products

tenda
ac7 firmware
15.03.06.44

CVEs Like This One

CVE-2025-11523Same product: Tenda Ac7
CVE-2025-11528Same product: Tenda Ac7
CVE-2025-8017Same product: Tenda Ac7
CVE-2025-11525Same product: Tenda Ac7
CVE-2025-11527Same product: Tenda Ac7
CVE-2025-1851Same product: Tenda Ac7
CVE-2025-29137Same product: Tenda Ac7
CVE-2025-11526Same product: Tenda Ac7
CVE-2025-29135Same product: Tenda Ac7
CVE-2025-11586Same product: Tenda Ac7

References