CVE-2025-44872
Published: 02 May 2025
Summary
CVE-2025-44872 is a critical-severity Command Injection (CWE-77) vulnerability in Tenda Ac9 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Tenda AC9 V15.03.06.42_multi contains a command injection vulnerability in the formsetUsbUnload function, where the deviceName parameter is processed without adequate sanitization. The flaw is tracked as CVE-2025-44872 and carries a CVSS 3.1 score of 9.8, corresponding to CWE-77.
Unauthenticated attackers with network access can submit a crafted HTTP request that injects and executes arbitrary operating-system commands on the device. Successful exploitation grants full control over the router, including the ability to alter configuration, exfiltrate data, or pivot to other network hosts.
Public references consist of proof-of-concept material hosted in a GitHub repository that demonstrates the injection vector; no vendor advisory or firmware patch is referenced in the available sources. The EPSS score rose from lower values after disclosure to a peak of 0.1396 on 2026-04-16 before receding to the current 0.0514, indicating a period of increased exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-13241
Vulnerability details
Tenda AC9 V15.03.06.42_multi was found to contain a command injection vulnerability in the formsetUsbUnload function via the deviceName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The command injection vulnerability in the router's web interface (formsetUsbUnload via deviceName) enables exploitation of a public-facing application (T1190) and remote services (T1210) to achieve arbitrary remote command execution on the network device CLI (T1059.008).
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.