Cyber Resilience

CVE-2025-44872

CriticalPublic PoCRCE

Published: 02 May 2025

Published
02 May 2025
Modified
27 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0514 90.1th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-44872 is a critical-severity Command Injection (CWE-77) vulnerability in Tenda Ac9 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Tenda AC9 V15.03.06.42_multi contains a command injection vulnerability in the formsetUsbUnload function, where the deviceName parameter is processed without adequate sanitization. The flaw is tracked as CVE-2025-44872 and carries a CVSS 3.1 score of 9.8, corresponding to CWE-77.

Unauthenticated attackers with network access can submit a crafted HTTP request that injects and executes arbitrary operating-system commands on the device. Successful exploitation grants full control over the router, including the ability to alter configuration, exfiltrate data, or pivot to other network hosts.

Public references consist of proof-of-concept material hosted in a GitHub repository that demonstrates the injection vector; no vendor advisory or firmware patch is referenced in the available sources. The EPSS score rose from lower values after disclosure to a peak of 0.1396 on 2026-04-16 before receding to the current 0.0514, indicating a period of increased exploitation interest.

EU & UK References

Vulnerability details

Tenda AC9 V15.03.06.42_multi was found to contain a command injection vulnerability in the formsetUsbUnload function via the deviceName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

The command injection vulnerability in the router's web interface (formsetUsbUnload via deviceName) enables exploitation of a public-facing application (T1190) and remote services (T1210) to achieve arbitrary remote command execution on the network device CLI (T1059.008).

Affected Assets

tenda
ac9 firmware
15.03.06.42_multi

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References