Cyber Resilience

CVE-2025-44877

CriticalPublic PoCRCE

Published: 02 May 2025

Published
02 May 2025
Modified
27 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0588 90.8th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-44877 is a critical-severity Command Injection (CWE-77) vulnerability in Tenda Ac9 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Tenda AC9 firmware version V15.03.06.42_multi contains a command-injection flaw (CWE-77) in the formSetSambaConf function that processes the usbname parameter. The vulnerability received a CVSS 3.1 base score of 9.8, reflecting network-accessible exploitation without authentication or user interaction and full compromise of confidentiality, integrity, and availability.

An unauthenticated attacker can submit a crafted HTTP request to the affected endpoint and execute arbitrary operating-system commands on the device. Successful exploitation grants the attacker the same privileges as the web-server process, typically enabling persistent control of the router, traffic interception, or use of the device as an attack pivot.

Public references consist solely of proof-of-concept repositories that demonstrate the injection vector; no vendor advisory or firmware patch is referenced in the available materials. The EPSS score rose from a low baseline to a peak of 0.1396 on 2026-04-16 before receding to 0.0588, indicating a measurable increase in exploitation interest after disclosure.

EU & UK References

Vulnerability details

Tenda AC9 V15.03.06.42_multi was found to contain a command injection vulnerability in the formSetSambaConf function via the usbname parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

The command injection vulnerability in the web management interface (formSetSambaConf via usbname) enables exploitation of a public-facing application (T1190) to execute arbitrary Unix shell commands on the Linux-based router (T1059.004).

Affected Assets

tenda
ac9 firmware
15.03.06.42_multi

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References