Cyber Resilience

CVE-2025-1819

Medium

Published: 02 March 2025

Published
02 March 2025
Modified
16 July 2025
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0074 73.3th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1819 is a medium-severity Command Injection (CWE-77) vulnerability in Tenda Ac7 Firmware. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

A critical OS command injection vulnerability was discovered in the Tenda AC7 1200M wireless router running firmware version 15.03.06.44. The flaw resides in the TendaTelnet function within the /goform/telnet endpoint, where unsanitized input to the lan_ip parameter allows arbitrary command execution. The issue is tracked under CWE-77 and CWE-78 and carries a CVSS 4.0 score of 5.3.

An authenticated remote attacker can supply a crafted lan_ip value to execute operating-system commands on the device. Because the attack can be launched over the network without user interaction, an adversary who obtains low-privileged credentials or re-uses a session can potentially alter device configuration, exfiltrate data, or pivot further into the local network. A public proof-of-concept has already been posted to GitHub.

The EPSS score for the vulnerability rose from a low baseline to a recorded peak of 0.0166, indicating that exploitation interest increased after disclosure. No vendor advisory or firmware update addressing the issue has been referenced in the available sources.

EU & UK References

Vulnerability details

A vulnerability, which was classified as critical, was found in Tenda AC7 1200M 15.03.06.44. Affected is the function TendaTelnet of the file /goform/telnet. The manipulation of the argument lan_ip leads to os command injection. It is possible to launch the…

more

attack remotely. The exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

Direct OS command injection in public-facing router web form (/goform/telnet) enables remote exploitation of the device (T1190) and arbitrary command execution via its CLI (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-11523Same product: Tenda Ac7
CVE-2025-8017Same product: Tenda Ac7
CVE-2025-29137Same product: Tenda Ac7
CVE-2025-1851Same product: Tenda Ac7
CVE-2025-11528Same product: Tenda Ac7
CVE-2025-11525Same product: Tenda Ac7
CVE-2025-11527Same product: Tenda Ac7
CVE-2025-11586Same product: Tenda Ac7
CVE-2025-29135Same product: Tenda Ac7
CVE-2025-11526Same product: Tenda Ac7

Affected Assets

tenda
ac7 firmware
15.03.06.44

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the OS command injection flaw in the TendaTelnet function by applying firmware patches or updates.

prevent

Validates and sanitizes the lan_ip input parameter to block command injection manipulations in the /goform/telnet endpoint.

detect

Scans systems for the specific CVE-2025-1819 vulnerability in Tenda AC7 firmware to identify exploitable routers.

References