CVE-2025-25675
Published: 20 February 2025
Summary
CVE-2025-25675 is a critical-severity Command Injection (CWE-77) vulnerability in Tenda Ac10 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-8 (Identification and Authentication (Non-organizational Users)) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of the cmdinput parameter in formexeCommand to prevent arbitrary command injection into doSystemCmd.
Mandates identification and authentication for non-organizational users, blocking unauthenticated remote POST requests to the vulnerable formexeCommand function.
Requires timely identification, reporting, correction, and verification of the command injection flaw to eliminate the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an unauthenticated remote command injection in the web interface (formexeCommand) of a Tenda router that passes unsanitized input to doSystemCmd, directly enabling exploitation of a public-facing application (T1190) and arbitrary command execution via Unix Shell on the embedded Linux firmware (T1059.004).
NVD Description
Tenda AC10 V1.0 V15.03.06.23 has a command injection vulnerablility located in the formexeCommand function. The str variable receives the cmdinput parameter from a POST request and is later assigned to the cmd_buf variable, which is directly used in the doSystemCmd…
more
function, causing an arbitrary command execution.
Deeper analysisAI
CVE-2025-25675 is a command injection vulnerability affecting the Tenda AC10 V1.0 router running firmware version V15.03.06.23. The flaw is located in the formexeCommand function, where the str variable directly receives user input from the cmdinput parameter in a POST request. This input is then assigned to the cmd_buf variable and passed without sanitization to the doSystemCmd function, enabling arbitrary command execution on the device.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical. Remote attackers require no authentication or user interaction and can exploit it over the network with low complexity. Successful exploitation grants attackers arbitrary command execution, allowing full compromise of the router, including data exfiltration, modification of configurations, or further network pivoting.
Details on the vulnerability, including proof-of-concept exploitation, are available in the GitHub repository at https://github.com/jangfan/my-vuln/blob/main/Tenda/AC10V1/formexeCommand.md. No vendor advisories or patches are referenced in the available information.
Details
- CWE(s)