Cyber Resilience

CVE-2025-70798

HighPublic PoC

Published: 10 March 2026

Published
10 March 2026
Modified
09 April 2026
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0018 7.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-70798 is a high-severity Use of Hard-coded Password (CWE-259) vulnerability in Tenda I24 Firmware. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 7.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-70798 is a hardcoded password vulnerability (CWE-259) in the Tenda i24V3.0si V3.0.0.5 firmware, specifically within the /etc_ro/shadow file. This flaw enables attackers to authenticate as the root user using a static credential, granting unrestricted administrative access to the device. The vulnerability carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting high impact due to complete compromise potential despite requiring local access.

An attacker with local access to the device, such as through physical proximity or prior network compromise, can exploit this vulnerability with low complexity and no privileges or user interaction required. Successful exploitation allows full root-level control, enabling actions like data exfiltration, firmware modification, persistent backdoor installation, or denial-of-service disruptions.

Advisories reference a detailed report at https://github.com/vuln-1/vuln/blob/main/Tenda/i24V3.0si_V3.0.0.5/report-1.md (duplicated in listings) and the vendor site at https://www.tendacn.com/, though specific patch details or mitigation steps are not outlined in available CVE data. Security practitioners should isolate affected devices and monitor for firmware updates from Tenda.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Tenda i24V3.0si V3.0.0.5 Firmware V3.0.0.5 was discovered to contain a hardcoded password vulnerability in /etc_ro/shadow, which allows attackers to log in as root.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Hardcoded root password in shadow file directly enables use of default local accounts for auth and represents insecure credential storage.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-57483Same product: Tenda I24
CVE-2025-70802Same vendor: Tenda
CVE-2026-1610Same vendor: Tenda
CVE-2024-46433Same vendor: Tenda
CVE-2024-46429Same vendor: Tenda
CVE-2026-24429Same vendor: Tenda
CVE-2026-30140Same vendor: Tenda
CVE-2024-46436Same vendor: Tenda
CVE-2021-47802Same vendor: Tenda
CVE-2025-29357Same vendor: Tenda

Affected Assets

tenda
i24 firmware
3.0.0.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 mandates proper management of authenticators including prohibiting hardcoded or default passwords, directly preventing exploitation of the static root credential in the /etc_ro/shadow file.

preventdetect

SI-2 requires identification, monitoring, and timely remediation of flaws such as this hardcoded password vulnerability through firmware updates.

prevent

CM-6 enforces secure configuration settings that prohibit hardcoded credentials in firmware components like the shadow file.

References