CVE-2025-11121 is a command injection vulnerability identified in the Tenda AC18 router firmware version 15.03.05.19. The vulnerability resides in an unknown function associated with the /goform/AdvSetLanip endpoint, where the lanIp parameter is improperly sanitized, allowing an attacker to inject and execute arbitrary system commands remotely. The attack vector is network-based, requiring no authentication or user interaction, which significantly lowers the barrier for exploitation. The CVSS v4.0 base score is 5.3, reflecting medium severity due to the partial impact on confidentiality, integrity, and availability, and the lack of privilege requirements. The vulnerability could allow attackers to take control of the router, manipulate network traffic, disrupt services, or pivot into internal networks. Although no known exploits have been observed in the wild, the public disclosure of the vulnerability details increases the likelihood of exploitation attempts. The absence of vendor patches at the time of disclosure necessitates immediate defensive measures to mitigate risk. This vulnerability is particularly concerning for environments where Tenda AC18 devices are deployed as network gateways or in critical infrastructure roles.

For European organizations, exploitation of CVE-2025-11121 could lead to unauthorized remote control of Tenda AC18 routers, resulting in interception or manipulation of network traffic, disruption of internet connectivity, and potential lateral movement into internal networks. This could compromise sensitive data confidentiality and integrity, degrade service availability, and undermine trust in network infrastructure. Organizations relying on these routers for perimeter defense or VPN termination are especially vulnerable. The medium severity score indicates a moderate but tangible risk, with the potential for significant operational impact if exploited at scale. The public disclosure increases the urgency for European entities to assess their exposure and implement mitigations promptly to prevent exploitation attempts that could disrupt business operations or critical services.

1. Immediately inventory and identify all Tenda AC18 routers running firmware version 15.03.05.19 within the organization. 2. Restrict access to the router management interfaces, especially the /goform/AdvSetLanip endpoint, by implementing network segmentation and firewall rules to limit access to trusted administrative networks only. 3. Monitor network traffic for unusual requests targeting the vulnerable endpoint or suspicious command injection patterns. 4. Disable remote management features on the affected devices if not strictly necessary. 5. Apply vendor-supplied patches or firmware updates as soon as they become available. 6. If patches are unavailable, consider replacing vulnerable devices or deploying compensating controls such as intrusion prevention systems (IPS) that can detect and block command injection attempts. 7. Educate network administrators about the vulnerability and the importance of timely patching and access control. 8. Regularly review router configurations and logs for signs of compromise or exploitation attempts.