CVE-2025-10442 is a security vulnerability identified in the Tenda AC9 and AC15 routers running firmware version 15.03.05.14. The flaw exists in the formexeCommand function within the /goform/exeCommand endpoint. Specifically, the vulnerability arises from improper sanitization of the cmdinput argument, which allows an attacker to inject arbitrary OS commands. This is a classic OS command injection vulnerability, enabling remote attackers to execute system-level commands on the affected device without requiring user interaction or authentication. The vulnerability is remotely exploitable over the network, increasing its risk profile. Although the CVSS 4.0 base score is 5.3 (medium severity), the presence of remote code execution capabilities without user interaction or authentication elevates the threat potential. The vulnerability has been publicly disclosed, but no confirmed exploits in the wild have been reported yet. The lack of available patches or updates at the time of disclosure means affected devices remain vulnerable. Exploitation could allow attackers to take control of the router, manipulate network traffic, intercept sensitive data, or pivot to other devices on the network. Given that Tenda routers are commonly used in small office and home office environments, the vulnerability could be leveraged to compromise broader network security.

For European organizations, especially small and medium enterprises (SMEs) and home office users relying on Tenda AC9 or AC15 routers, this vulnerability poses a significant risk. Successful exploitation could lead to unauthorized control over network infrastructure, enabling attackers to intercept confidential communications, disrupt network availability, or launch further attacks such as lateral movement or data exfiltration. In sectors with strict data protection regulations like GDPR, such breaches could result in compliance violations and financial penalties. Additionally, compromised routers could be used as part of botnets or for launching attacks against other targets, amplifying the threat landscape. The medium CVSS score may understate the operational impact, as remote command execution without authentication is a critical capability for attackers. The vulnerability could also affect managed service providers who deploy these routers for clients, potentially impacting multiple organizations simultaneously.

Immediate mitigation should focus on isolating affected devices from untrusted networks to reduce exposure. Network segmentation can limit the impact of a compromised router. Administrators should monitor network traffic for unusual activity indicative of exploitation attempts. Since no official patches are available, consider the following practical steps: 1) Disable remote management interfaces on the router to prevent external access to vulnerable endpoints. 2) Restrict access to the router’s management interface to trusted IP addresses only. 3) Replace vulnerable devices with models from vendors with timely security update practices if feasible. 4) Employ network intrusion detection systems (NIDS) to detect command injection patterns or anomalous behavior. 5) Regularly audit router firmware versions and subscribe to vendor security advisories for updates. 6) Educate users about the risks of using outdated or unsupported network devices. These targeted actions go beyond generic advice by focusing on reducing attack surface and improving detection capabilities specific to this vulnerability.