CVE-2025-14286 is a medium-severity information disclosure vulnerability identified in the Tenda AC9 router firmware version 15.03.05.14_multi. The vulnerability resides in an unspecified functionality of the /cgi-bin/DownloadCfg.jpg CGI endpoint, which is part of the Configuration File Handler component. This endpoint improperly handles requests, allowing remote attackers to retrieve sensitive configuration data or other information without requiring authentication, privileges, or user interaction. The vulnerability is exploitable remotely over the network, increasing its attack surface. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P) indicates that the attack is network-based, requires low attack complexity, no privileges, no user interaction, and results in low-impact confidentiality loss. Although no exploits have been observed in the wild, the public disclosure of exploit details raises the likelihood of exploitation attempts. The lack of available patches at the time of reporting means that affected users must rely on interim mitigations. The vulnerability could allow attackers to obtain sensitive router configuration details, potentially exposing network credentials, topology, or other critical information that could be leveraged for subsequent attacks such as network intrusion or lateral movement.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive network configuration data, undermining confidentiality and potentially exposing internal network structures and credentials. This exposure increases the risk of targeted attacks, including network infiltration, data exfiltration, or disruption of services. Organizations relying on Tenda AC9 routers for critical network infrastructure or remote access may face elevated risks, especially if these devices are internet-facing or insufficiently segmented. The information disclosed could also aid attackers in crafting more effective phishing or social engineering campaigns. While the vulnerability does not directly impact integrity or availability, the indirect consequences of compromised confidentiality can be severe, particularly for sectors such as finance, healthcare, and government. The medium severity rating reflects the moderate but non-trivial risk posed by this flaw, especially given the ease of exploitation and lack of required authentication.

1. Immediately restrict access to the /cgi-bin/DownloadCfg.jpg endpoint by implementing firewall rules or access control lists to limit exposure to trusted internal networks only. 2. Monitor network traffic and logs for unusual or repeated requests to the vulnerable CGI endpoint to detect potential exploitation attempts. 3. Disable remote management interfaces on Tenda AC9 routers unless absolutely necessary, and if enabled, restrict access to known IP addresses. 4. Regularly check for and apply firmware updates from Tenda addressing this vulnerability once available. 5. Consider replacing affected Tenda AC9 devices with alternative hardware if timely patches are not provided, especially in high-risk environments. 6. Conduct network segmentation to isolate vulnerable devices from critical systems and sensitive data repositories. 7. Educate IT staff about this vulnerability and ensure incident response plans include procedures for detecting and mitigating exploitation attempts related to this flaw.