Skip to main content

CVE-2025-5836: Command Injection in Tenda AC9

Medium
VulnerabilityCVE-2025-5836cvecve-2025-5836
Published: Sat Jun 07 2025 (06/07/2025, 13:31:06 UTC)
Source: CVE Database V5
Vendor/Project: Tenda
Product: AC9

Description

A vulnerability was found in Tenda AC9 15.03.02.13. It has been rated as critical. This issue affects the function formSetIptv of the file /goform/SetIPTVCfg of the component POST Request Handler. The manipulation of the argument list leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

AI-Powered Analysis

AILast updated: 07/08/2025, 12:43:41 UTC

Technical Analysis

CVE-2025-5836 is a command injection vulnerability identified in the Tenda AC9 router, specifically affecting firmware version 15.03.02.13. The vulnerability resides in the POST request handler function formSetIptv within the /goform/SetIPTVCfg endpoint. An attacker can manipulate the argument list passed to this function, leading to arbitrary command execution on the device. This flaw allows remote attackers to execute system-level commands without authentication or user interaction, as the attack vector is a network-accessible POST request. The vulnerability has been publicly disclosed, although no known exploits are currently observed in the wild. The CVSS 4.0 base score is 5.3 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and limited impact on confidentiality, integrity, and availability. However, the ability to execute arbitrary commands remotely on a network device like a router can have significant security implications, including device takeover, network traffic interception or manipulation, and pivoting to internal networks. The lack of available patches at the time of disclosure increases the risk for affected users. Given the critical role of routers in network infrastructure, this vulnerability demands prompt attention.

Potential Impact

For European organizations, the exploitation of this vulnerability could lead to severe consequences. Compromised Tenda AC9 routers could serve as entry points for attackers to infiltrate corporate or home networks, intercept sensitive communications, or launch further attacks such as lateral movement or data exfiltration. Given the router's position at the network perimeter, attackers could manipulate routing or firewall rules, degrade network availability, or deploy malware. Small and medium enterprises (SMEs) and residential users relying on Tenda AC9 devices are particularly at risk due to potentially limited security monitoring and patch management capabilities. Additionally, critical infrastructure or service providers using these routers could face disruptions or breaches impacting service continuity. The public disclosure of the vulnerability increases the likelihood of exploitation attempts, especially if automated scanning tools incorporate this flaw. The medium CVSS score may underestimate the real-world impact due to the strategic position of routers in network security.

Mitigation Recommendations

Organizations and users should immediately verify if their Tenda AC9 routers are running firmware version 15.03.02.13 and avoid exposing the router management interface to untrusted networks, especially the internet. Network segmentation should be enforced to isolate router management interfaces from general user traffic. Employ firewall rules to restrict access to the /goform/SetIPTVCfg endpoint or block unsolicited POST requests targeting this path. Monitor network traffic for unusual POST requests or command injection patterns. Since no official patch is currently available, users should consider temporary mitigations such as disabling IPTV configuration features if possible or replacing vulnerable devices with updated models. Vendors should be contacted to expedite firmware updates addressing this vulnerability. Additionally, organizations should implement network intrusion detection systems (NIDS) with signatures for command injection attempts and maintain robust logging to detect exploitation attempts. Regular firmware audits and vulnerability scanning should be incorporated into security operations.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulDB
Date Reserved
2025-06-06T20:11:59.450Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 6844429271f4d251b50e99a7

Added to database: 6/7/2025, 1:45:54 PM

Last enriched: 7/8/2025, 12:43:41 PM

Last updated: 8/16/2025, 1:51:12 AM

Views: 16

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats