CVE-2025-25632
Published: 05 March 2025
Summary
CVE-2025-25632 is a critical-severity Command Injection (CWE-77) vulnerability in Tenda Ac15 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates command injection in the /goform/telnet handler by requiring validation of all information inputs, including command parameters, to block arbitrary OS command execution.
Addresses the specific firmware flaw in Tenda AC15 v15.03.05.19 by requiring timely remediation through security patches or updates to eliminate the vulnerability.
Enforces approved authorizations on the vulnerable /goform/telnet endpoint to prevent unauthenticated remote attackers from accessing and exploiting the command injection functionality.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The command injection vulnerability in the public-facing web handler (/goform/telnet) on the Tenda AC15 router enables remote exploitation of a public-facing application and facilitates arbitrary command execution akin to network device CLI access.
NVD Description
Tenda AC15 v15.03.05.19 is vulnerable to Command Injection via the handler function in /goform/telnet.
Deeper analysisAI
CVE-2025-25632 is a command injection vulnerability (CWE-77) affecting Tenda AC15 routers running firmware version v15.03.05.19. The flaw resides in the handler function of the /goform/telnet endpoint, enabling attackers to inject and execute arbitrary operating system commands. Published on 2025-03-05, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and severe impacts on confidentiality, integrity, and availability.
Remote, unauthenticated attackers can exploit this vulnerability by sending specially crafted requests to the affected endpoint. Successful exploitation grants attackers the ability to execute arbitrary commands on the device with elevated privileges, potentially leading to full router compromise, data exfiltration, persistent access, or use as a pivot for further network attacks.
A detailed proof-of-concept and analysis is available in the referenced advisory at https://github.com/Pr0b1em/IoT/blob/master/TendaAC15v15.03.05.19telnet.md, which security practitioners should review for reproduction steps and potential workarounds, as no official patches are detailed in available information.
Details
- CWE(s)