CVE-2025-24496 is a high-severity vulnerability affecting the Tenda AC6 V5.0 router, specifically version V02.03.01.110. The vulnerability is classified under CWE-288, which involves authentication bypass using an alternate path or channel. The issue resides in the /goform/getproductInfo endpoint of the router's firmware. An attacker can send specially crafted network packets to this endpoint without requiring any authentication or user interaction, which leads to the disclosure of sensitive information. According to the CVSS 3.1 score of 7.5, the attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact is limited to confidentiality (C:H), with no impact on integrity or availability. This means that an attacker can remotely obtain sensitive data from the device, potentially including configuration details, firmware version, or other information that could facilitate further attacks or reconnaissance. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating that the vulnerability is newly disclosed and may require urgent attention from affected users and vendors. The vulnerability's presence in a widely deployed consumer-grade router model raises concerns about the potential scale of exposure, especially in environments where these devices are used as primary network gateways without additional security controls.

For European organizations, the impact of CVE-2025-24496 can be significant depending on the deployment context of the Tenda AC6 V5.0 routers. Many small and medium enterprises (SMEs) and home offices use consumer-grade routers like the Tenda AC6 due to cost-effectiveness. The information disclosure could allow attackers to gather sensitive device information remotely, which can be leveraged for targeted attacks such as network intrusion, lateral movement, or further exploitation of other vulnerabilities. Confidentiality breaches could expose network topology, device configurations, or credentials stored or accessible via the device, increasing the risk of espionage or data theft. Although the vulnerability does not directly affect integrity or availability, the disclosed information can facilitate more damaging attacks. In critical infrastructure or regulated sectors within Europe, such as finance, healthcare, or government, the presence of vulnerable devices could undermine security postures and compliance with data protection regulations like GDPR. Additionally, the lack of authentication and user interaction requirements makes this vulnerability easier to exploit at scale, potentially affecting large numbers of devices across various networks.

1. Immediate mitigation should involve isolating affected Tenda AC6 V5.0 routers from untrusted networks, especially the internet-facing interfaces, to prevent remote exploitation. 2. Network administrators should implement strict firewall rules to block access to the /goform/getproductInfo endpoint or restrict access to trusted IP addresses only. 3. Monitor network traffic for unusual or suspicious requests targeting the vulnerable endpoint to detect potential exploitation attempts. 4. Since no official patch is currently available, users should contact Tenda support for firmware updates or advisories and apply any forthcoming patches promptly. 5. Consider replacing vulnerable devices with models from vendors with a stronger security track record or with active firmware maintenance. 6. Employ network segmentation to limit the exposure of vulnerable devices and reduce the attack surface. 7. Use intrusion detection/prevention systems (IDS/IPS) with updated signatures to detect exploitation attempts targeting this vulnerability. 8. Educate users and administrators about the risks of using consumer-grade routers in sensitive environments and encourage best practices for device management and network security.