CVE-2025-22949
Published: 10 January 2025
Summary
CVE-2025-22949 is a critical-severity Command Injection (CWE-77) vulnerability in Tenda Ac9 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Tenda AC9 v1.0 running firmware v15.03.05.19 is affected by a command injection vulnerability in the /goform/SetSambaCfg endpoint. The flaw, assigned CVE-2025-22949 and carrying a CVSS 3.1 score of 9.8, arises from insufficient sanitization of user-supplied parameters that are passed directly to system command execution, corresponding to CWE-77.
An unauthenticated attacker with network access can submit crafted HTTP requests to the endpoint and inject arbitrary operating-system commands. Successful exploitation yields remote code execution with full privileges on the router, enabling persistent compromise, traffic interception, or use of the device in further attacks.
A technical breakdown of the vulnerable SetSambaCfg handler and its doSystemCmd invocation is available in public references. The current EPSS score of 0.1077 with a peak of 0.1165 reflects moderate exploitation interest without a pronounced post-disclosure climb from a low baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3052
Vulnerability details
Tenda ac9 v1.0 firmware v15.03.05.19 is vulnerable to command injection in /goform/SetSambaCfg, which may lead to remote arbitrary code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated command injection in public router web endpoint directly enables remote OS command execution (T1190 initial access + T1059.004 Unix Shell).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the insufficient input validation in the /goform/SetSambaCfg endpoint that enables command injection.
Requires identification, reporting, and correction of the specific command injection flaw via firmware remediation.
Restricts classes of inputs to the vulnerable endpoint, limiting the ability to submit command injection payloads.