The CVE-2025-44872 vulnerability affects the Tenda AC9 router firmware version V15.03.06.42_multi. It is a critical command injection vulnerability located in the formsetUsbUnload function, specifically exploitable via the deviceName parameter. Command injection vulnerabilities occur when untrusted input is passed to a system shell or command interpreter without proper sanitization, allowing an attacker to execute arbitrary commands on the affected device. In this case, an attacker can craft a malicious request that manipulates the deviceName parameter to inject and execute arbitrary system commands remotely. The vulnerability has a CVSS 3.1 base score of 9.8, indicating critical severity with network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction needed (UI:N), and impacts confidentiality, integrity, and availability (C:H/I:H/A:H). This means the vulnerability can be exploited remotely by unauthenticated attackers without any user interaction, leading to full compromise of the device. The affected product is the Tenda AC9 router, a consumer-grade networking device commonly used for home and small office internet connectivity. The vulnerability is categorized under CWE-77 (Improper Neutralization of Special Elements used in a Command), which is a classic command injection weakness. No patches or fixes are currently linked, and there are no known exploits in the wild at the time of publication. However, given the critical nature and ease of exploitation, this vulnerability poses a significant risk to any network using the affected firmware version. Attackers could leverage this flaw to gain persistent control over the router, intercept or manipulate network traffic, launch further attacks on internal networks, or disrupt internet connectivity by disabling the device or its services.

For European organizations, this vulnerability presents a severe risk, especially for small businesses and home offices relying on Tenda AC9 routers for internet access. Successful exploitation could lead to full compromise of the router, allowing attackers to intercept sensitive data, manipulate network traffic, or pivot into internal networks. This could result in data breaches, espionage, disruption of business operations, and loss of availability of critical internet services. Since the vulnerability requires no authentication and no user interaction, it can be exploited remotely over the internet, increasing the attack surface. Organizations with remote or hybrid workforces using vulnerable routers at home are also at risk, potentially exposing corporate networks through compromised endpoints. The lack of available patches increases the urgency for mitigation. Additionally, the criticality of the vulnerability means it could be weaponized in automated attacks or botnets targeting vulnerable devices across Europe, amplifying the impact. The confidentiality, integrity, and availability of network communications and connected systems are all at high risk.

1. Immediate mitigation should include isolating affected Tenda AC9 routers from untrusted networks, especially the internet, until a vendor patch is available. 2. Network administrators should implement strict firewall rules to restrict inbound access to router management interfaces and USB-related services. 3. Disable USB functionality on the router if not required, to reduce the attack surface related to the vulnerable formsetUsbUnload function. 4. Monitor network traffic for unusual or suspicious requests targeting the deviceName parameter or USB-related endpoints. 5. Employ network segmentation to limit the impact of a compromised router on critical internal systems. 6. Use intrusion detection/prevention systems (IDS/IPS) with updated signatures to detect exploitation attempts. 7. Regularly check for firmware updates from Tenda and apply patches as soon as they become available. 8. Educate users and administrators about the risks of using outdated firmware and encourage timely updates. 9. Consider replacing vulnerable devices with routers from vendors with a strong security track record if patches are delayed. 10. For organizations with remote workers, provide secure VPN access and endpoint security to mitigate risks from compromised home routers.