CVE-2025-11523 is a command injection vulnerability identified in the Tenda AC7 router firmware version 15.03.06.44. The vulnerability resides in the handling of the lanIp argument within the /goform/AdvSetLanip endpoint. By crafting malicious input for the lanIp parameter, an attacker can inject arbitrary system commands that the router executes with elevated privileges. This flaw is remotely exploitable without requiring authentication or user interaction, increasing the attack surface significantly. The vulnerability affects the router’s LAN IP configuration functionality, which is critical for network management. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although the impact is rated low on CIA, the ability to execute arbitrary commands can lead to full device compromise, persistent backdoors, or lateral movement within the network. No official patches or updates have been linked yet, and while no active exploitation in the wild is reported, public exploit code availability increases the risk of imminent attacks. The vulnerability underscores the importance of securing IoT and network devices that are often overlooked in enterprise security strategies.

For European organizations, exploitation of this vulnerability could lead to unauthorized control over Tenda AC7 routers, enabling attackers to manipulate network configurations, intercept or redirect traffic, and potentially launch further attacks on internal systems. This could compromise confidentiality by exposing sensitive data traversing the router, integrity by altering network settings or firmware, and availability by causing device malfunctions or denial of service. Critical infrastructure, small and medium enterprises, and home office environments using these routers are particularly vulnerable. The risk is heightened in sectors with stringent data protection requirements under GDPR, where unauthorized access could lead to regulatory penalties. Additionally, compromised routers could serve as entry points for broader cyber espionage or ransomware campaigns targeting European networks. The medium severity rating suggests a moderate but tangible threat that should not be underestimated, especially given the ease of remote exploitation without authentication.

Organizations should immediately inventory their network devices to identify any Tenda AC7 routers running firmware version 15.03.06.44. Until an official patch is released, mitigate risk by restricting remote access to router management interfaces via firewall rules or network segmentation. Disable remote management features if not required. Monitor network traffic for unusual activity or command injection attempts targeting the /goform/AdvSetLanip endpoint. Employ intrusion detection systems (IDS) with signatures for known exploit patterns. Where possible, replace vulnerable devices with models from vendors with stronger security track records. Regularly update router firmware once patches become available and verify authenticity of updates. Educate network administrators about this vulnerability and enforce strict access controls on network infrastructure. Consider deploying network anomaly detection solutions to identify exploitation attempts early.