CVE-2025-70798
Published: 10 March 2026
Summary
CVE-2025-70798 is a high-severity Use of Hard-coded Password (CWE-259) vulnerability in Tenda I24 Firmware. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 6.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 mandates proper management of authenticators including prohibiting hardcoded or default passwords, directly preventing exploitation of the static root credential in the /etc_ro/shadow file.
SI-2 requires identification, monitoring, and timely remediation of flaws such as this hardcoded password vulnerability through firmware updates.
CM-6 enforces secure configuration settings that prohibit hardcoded credentials in firmware components like the shadow file.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hardcoded root password in shadow file directly enables use of default local accounts for auth and represents insecure credential storage.
NVD Description
Tenda i24V3.0si V3.0.0.5 Firmware V3.0.0.5 was discovered to contain a hardcoded password vulnerability in /etc_ro/shadow, which allows attackers to log in as root.
Deeper analysisAI
CVE-2025-70798 is a hardcoded password vulnerability (CWE-259) in the Tenda i24V3.0si V3.0.0.5 firmware, specifically within the /etc_ro/shadow file. This flaw enables attackers to authenticate as the root user using a static credential, granting unrestricted administrative access to the device. The vulnerability carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting high impact due to complete compromise potential despite requiring local access.
An attacker with local access to the device, such as through physical proximity or prior network compromise, can exploit this vulnerability with low complexity and no privileges or user interaction required. Successful exploitation allows full root-level control, enabling actions like data exfiltration, firmware modification, persistent backdoor installation, or denial-of-service disruptions.
Advisories reference a detailed report at https://github.com/vuln-1/vuln/blob/main/Tenda/i24V3.0si_V3.0.0.5/report-1.md (duplicated in listings) and the vendor site at https://www.tendacn.com/, though specific patch details or mitigation steps are not outlined in available CVE data. Security practitioners should isolate affected devices and monitor for firmware updates from Tenda.
Details
- CWE(s)