Cyber Resilience

CVE-2025-57296

MediumPublic PoC

Published: 19 September 2025

Published
19 September 2025
Modified
25 September 2025
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.0214 84.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-57296 is a medium-severity Command Injection (CWE-77) vulnerability in Tenda Ac6 Firmware. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

Tenda AC6 router firmware 15.03.05.19 contains a command injection vulnerability in the formSetIptv function, which processes requests to the /goform/SetIPTVCfg web interface. When handling the list and vlanId parameters, the sub_ADBC0 helper function concatenates these user-supplied values into nvram set…

more

system commands using doSystemCmd, without validating or sanitizing special characters (e.g., ;, ", #). An unauthenticated or authenticated attacker can exploit this by submitting a crafted POST request, leading to arbitrary system command execution on the affected device.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

The unauthenticated command injection vulnerability in the router's public-facing web interface (/goform/SetIPTVCfg) enables exploitation of a public-facing application (T1190) and facilitates arbitrary Unix shell command execution (T1059.004) via unsanitized parameters leading to doSystemCmd.

Affected Assets

tenda
ac6 firmware
15.03.05.19

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References