Cyber Resilience

CVE-2025-22949

CriticalPublic PoCRCE

Published: 10 January 2025

Published
10 January 2025
Modified
09 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1077 93.5th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22949 is a critical-severity Command Injection (CWE-77) vulnerability in Tenda Ac9 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Tenda AC9 v1.0 running firmware v15.03.05.19 is affected by a command injection vulnerability in the /goform/SetSambaCfg endpoint. The flaw, assigned CVE-2025-22949 and carrying a CVSS 3.1 score of 9.8, arises from insufficient sanitization of user-supplied parameters that are passed directly to system command execution, corresponding to CWE-77.

An unauthenticated attacker with network access can submit crafted HTTP requests to the endpoint and inject arbitrary operating-system commands. Successful exploitation yields remote code execution with full privileges on the router, enabling persistent compromise, traffic interception, or use of the device in further attacks.

A technical breakdown of the vulnerable SetSambaCfg handler and its doSystemCmd invocation is available in public references. The current EPSS score of 0.1077 with a peak of 0.1165 reflects moderate exploitation interest without a pronounced post-disclosure climb from a low baseline.

EU & UK References

Vulnerability details

Tenda ac9 v1.0 firmware v15.03.05.19 is vulnerable to command injection in /goform/SetSambaCfg, which may lead to remote arbitrary code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unauthenticated command injection in public router web endpoint directly enables remote OS command execution (T1190 initial access + T1059.004 Unix Shell).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-6015Same product: Tenda Ac9
CVE-2025-22946Same product: Tenda Ac9
CVE-2025-29385Same product: Tenda Ac9
CVE-2026-6016Same product: Tenda Ac9
CVE-2025-29387Same product: Tenda Ac9
CVE-2026-2191Same product: Tenda Ac9
CVE-2026-2192Same product: Tenda Ac9
CVE-2025-29386Same product: Tenda Ac9
CVE-2025-29384Same product: Tenda Ac9
CVE-2025-10443Same product: Tenda Ac9

Affected Assets

tenda
ac9 firmware
15.03.05.19

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the insufficient input validation in the /goform/SetSambaCfg endpoint that enables command injection.

prevent

Requires identification, reporting, and correction of the specific command injection flaw via firmware remediation.

prevent

Restricts classes of inputs to the vulnerable endpoint, limiting the ability to submit command injection payloads.

References