Cyber Posture

CVE-2025-22949

CriticalPublic PoCRCE

Published: 10 January 2025

Published
10 January 2025
Modified
09 April 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0823 92.3th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22949 is a critical-severity Command Injection (CWE-77) vulnerability in Tenda Ac9 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses the insufficient input validation in the /goform/SetSambaCfg endpoint that enables command injection.

SI-2 Flaw Remediation good match
prevent

Requires identification, reporting, and correction of the specific command injection flaw via firmware remediation.

SI-9 Information Input Restrictions partial match
prevent

Restricts classes of inputs to the vulnerable endpoint, limiting the ability to submit command injection payloads.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Unauthenticated command injection in public router web endpoint directly enables remote OS command execution (T1190 initial access + T1059.004 Unix Shell).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Tenda ac9 v1.0 firmware v15.03.05.19 is vulnerable to command injection in /goform/SetSambaCfg, which may lead to remote arbitrary code execution.

Deeper analysisAI

CVE-2025-22949 is a command injection vulnerability (CWE-77) affecting the Tenda AC9 v1.0 router running firmware version v15.03.05.19. The flaw resides in the /goform/SetSambaCfg endpoint, where insufficient input validation allows attackers to inject and execute arbitrary operating system commands. Published on 2025-01-10, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.

Remote attackers can exploit this vulnerability over the network without authentication or user interaction. By sending a specially crafted HTTP request to the vulnerable endpoint, an unauthenticated adversary gains the ability to execute arbitrary code on the device, potentially leading to full remote code execution (RCE) and complete compromise of the router.

For mitigation details, refer to the advisory at https://noisy-caravel-a9a.notion.site/Tenda_AC9V1-0_V15-03-05-19_formSetSambaConf_doSystemCmd_CI-16f898c94eac80d5801bdaf777ac2b27, which documents the command injection in the doSystemCmd function.

Details

CWE(s)
CWE-77

Affected Products

tenda
ac9 firmware
15.03.05.19

CVEs Like This One

CVE-2026-6015Same product: Tenda Ac9
CVE-2025-29385Same product: Tenda Ac9
CVE-2025-29386Same product: Tenda Ac9
CVE-2025-29384Same product: Tenda Ac9
CVE-2025-29387Same product: Tenda Ac9
CVE-2025-22946Same product: Tenda Ac9
CVE-2026-6016Same product: Tenda Ac9
CVE-2026-2192Same product: Tenda Ac9
CVE-2026-2191Same product: Tenda Ac9
CVE-2024-57583Same vendor: Tenda

References