CVE-2025-27129
Published: 20 August 2025
Summary
CVE-2025-27129 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Tenda Ac6 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-9 (Service Identification and Authentication) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires identification, reporting, and correction of the specific authentication bypass flaw in the router's HTTP functionality to prevent arbitrary code execution.
Mandates proper identification and authentication for the HTTP service, directly countering the authentication bypass vulnerability.
Enforces validation of HTTP request inputs to block specially crafted packets that bypass authentication and enable code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass on public HTTP interface of network device directly enables remote unauthenticated exploitation leading to RCE.
NVD Description
An authentication bypass vulnerability exists in the HTTP authentication functionality of Tenda AC6 V5.0 V02.03.01.110. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can send packets to trigger this vulnerability.
Deeper analysisAI
CVE-2025-27129 is an authentication bypass vulnerability in the HTTP authentication functionality of the Tenda AC6 router running firmware version V5.0 V02.03.01.110. The flaw allows a specially crafted HTTP request to bypass authentication controls, ultimately leading to arbitrary code execution on the affected device. This issue is cataloged under CWE-288 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites.
A remote, unauthenticated attacker can exploit this vulnerability by sending malicious packets over the network to the router's HTTP interface. No user interaction or privileges are required, enabling exploitation from anywhere with network access to the device. Successful exploitation grants the attacker full arbitrary code execution capabilities, potentially allowing complete compromise of the router, including data theft, further network pivoting, or persistent access.
For mitigation details, refer to the Cisco Talos advisories at https://talosintelligence.com/vulnerability_reports/TALOS-2025-2165 and https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2165, which provide technical analysis and recommended patches or workarounds.
Details
- CWE(s)