CVE-2025-24496 is an authentication bypass vulnerability categorized under CWE-288, found in the Tenda AC6 V5.0 router firmware version V02.03.01.110. The vulnerability resides in the /goform/getproductInfo functionality, which is intended to provide product information but lacks proper authentication checks. An attacker can send specially crafted network packets to this endpoint, bypassing authentication mechanisms and causing the router to disclose sensitive information. This information disclosure could include device configuration details, firmware versions, or other internal data that could aid an attacker in further exploitation or network reconnaissance. The vulnerability is remotely exploitable without any privileges or user interaction, increasing its risk profile. The CVSS v3.1 base score is 7.5, reflecting high impact on confidentiality with no impact on integrity or availability. Although no public exploits are reported yet, the simplicity of the attack vector and the lack of authentication barriers make it a critical concern for affected users. The vulnerability is specific to the Tenda AC6 V5.0 router firmware version V02.03.01.110, and no patches have been published at the time of disclosure, emphasizing the need for immediate mitigation steps.

For European organizations, this vulnerability poses a significant risk of sensitive information leakage from affected Tenda AC6 routers. Disclosure of device-specific information can facilitate targeted attacks, including further exploitation of router vulnerabilities or lateral movement within networks. Small and medium enterprises or home office environments using these routers could be particularly vulnerable due to potentially weaker network segmentation and security controls. The confidentiality breach could expose network topology, firmware versions, or administrative details, enabling attackers to craft more effective attacks or gain unauthorized access. While the vulnerability does not directly affect integrity or availability, the information gained could lead to more severe compromises. Given the widespread use of Tenda routers in residential and small business markets across Europe, the potential impact includes privacy violations, unauthorized network access, and increased risk of subsequent attacks.

1. Immediately restrict access to the router management interface by limiting it to trusted internal IP addresses or disabling remote management where possible. 2. Monitor network traffic for unusual or malformed requests targeting the /goform/getproductInfo endpoint to detect potential exploitation attempts. 3. Apply firmware updates from Tenda as soon as they are released to address this vulnerability. 4. If patches are not yet available, consider replacing affected devices with models from vendors with timely security updates. 5. Employ network segmentation to isolate routers from critical infrastructure and sensitive data environments. 6. Use intrusion detection/prevention systems (IDS/IPS) to identify and block suspicious packets targeting known vulnerable endpoints. 7. Educate users and administrators about the risks of exposing router management interfaces to untrusted networks.