Cyber Resilience

CVE-2025-25632

CriticalPublic PoCRCE

Published: 05 March 2025

Published
05 March 2025
Modified
09 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0401 88.7th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25632 is a critical-severity Command Injection (CWE-77) vulnerability in Tenda Ac15 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Tenda AC15 firmware version 15.03.05.19 contains a command-injection vulnerability in the handler for the /goform/telnet endpoint. The flaw is tracked as CVE-2025-25632, carries a CVSS 3.1 base score of 9.8, and is classified under CWE-77. No authentication or user interaction is required for exploitation over the network.

An unauthenticated remote attacker can submit crafted input to the telnet handler and execute arbitrary operating-system commands on the device. Successful exploitation yields full control over the router, allowing arbitrary code execution, configuration changes, and potential persistence.

The single public reference is a proof-of-concept write-up hosted on GitHub; it does not describe vendor patches or mitigation steps. The associated EPSS score rose from a low baseline to a peak of 0.1079 on 2026-02-16 before receding to its current value of 0.0401, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

Tenda AC15 v15.03.05.19 is vulnerable to Command Injection via the handler function in /goform/telnet.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

The command injection vulnerability in the public-facing web handler (/goform/telnet) on the Tenda AC15 router enables remote exploitation of a public-facing application and facilitates arbitrary command execution akin to network device CLI access.

CVEs Like This One

CVE-2026-24105Same product: Tenda Ac15
CVE-2025-11387Same product: Tenda Ac15
CVE-2025-11386Same product: Tenda Ac15
CVE-2025-11388Same product: Tenda Ac15
CVE-2025-11389Same product: Tenda Ac15
CVE-2025-0566Same product: Tenda Ac15
CVE-2026-3400Same product: Tenda Ac15
CVE-2026-24103Same product: Tenda Ac15
CVE-2026-4975Same product: Tenda Ac15
CVE-2026-5830Same product: Tenda Ac15

Affected Assets

tenda
ac15 firmware
15.03.05.19

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates command injection in the /goform/telnet handler by requiring validation of all information inputs, including command parameters, to block arbitrary OS command execution.

prevent

Addresses the specific firmware flaw in Tenda AC15 v15.03.05.19 by requiring timely remediation through security patches or updates to eliminate the vulnerability.

prevent

Enforces approved authorizations on the vulnerable /goform/telnet endpoint to prevent unauthenticated remote attackers from accessing and exploiting the command injection functionality.

References