CVE-2025-25632
Published: 05 March 2025
Summary
CVE-2025-25632 is a critical-severity Command Injection (CWE-77) vulnerability in Tenda Ac15 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Tenda AC15 firmware version 15.03.05.19 contains a command-injection vulnerability in the handler for the /goform/telnet endpoint. The flaw is tracked as CVE-2025-25632, carries a CVSS 3.1 base score of 9.8, and is classified under CWE-77. No authentication or user interaction is required for exploitation over the network.
An unauthenticated remote attacker can submit crafted input to the telnet handler and execute arbitrary operating-system commands on the device. Successful exploitation yields full control over the router, allowing arbitrary code execution, configuration changes, and potential persistence.
The single public reference is a proof-of-concept write-up hosted on GitHub; it does not describe vendor patches or mitigation steps. The associated EPSS score rose from a low baseline to a peak of 0.1079 on 2026-02-16 before receding to its current value of 0.0401, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6101
Vulnerability details
Tenda AC15 v15.03.05.19 is vulnerable to Command Injection via the handler function in /goform/telnet.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The command injection vulnerability in the public-facing web handler (/goform/telnet) on the Tenda AC15 router enables remote exploitation of a public-facing application and facilitates arbitrary command execution akin to network device CLI access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates command injection in the /goform/telnet handler by requiring validation of all information inputs, including command parameters, to block arbitrary OS command execution.
Addresses the specific firmware flaw in Tenda AC15 v15.03.05.19 by requiring timely remediation through security patches or updates to eliminate the vulnerability.
Enforces approved authorizations on the vulnerable /goform/telnet endpoint to prevent unauthenticated remote attackers from accessing and exploiting the command injection functionality.