CVE-2025-9090 is a command injection vulnerability identified in the Tenda AC20 router, specifically affecting firmware version 16.03.08.12. The flaw resides in the Telnet Service component, within the function websFormDefine located in the /goform/telnet file. This vulnerability allows an unauthenticated remote attacker to inject arbitrary commands into the system by manipulating input parameters processed by the vulnerable function. Since the Telnet service is involved, the attacker can exploit this remotely without requiring user interaction or prior authentication. The vulnerability is classified as medium severity with a CVSS 4.0 base score of 5.3, reflecting the ease of network-based exploitation (AV:N), low attack complexity (AC:L), and no user interaction (UI:N). However, it requires low privileges (PR:L), indicating some form of limited access or session may be needed, and the impact on confidentiality, integrity, and availability is low to limited. The exploit has been publicly disclosed, increasing the risk of exploitation, although no active exploits in the wild have been reported yet. This vulnerability could allow attackers to execute arbitrary system commands, potentially leading to unauthorized control over the device, disruption of network services, or pivoting into internal networks. Given the widespread use of Tenda AC20 routers in small office and home office environments, this vulnerability poses a tangible risk to network security if left unpatched.

For European organizations, especially small and medium enterprises (SMEs) and home office users relying on Tenda AC20 routers, this vulnerability could lead to unauthorized remote command execution on their network gateway devices. This may result in compromised network integrity, interception or manipulation of network traffic, and potential lateral movement into corporate networks. The impact on confidentiality could include exposure of sensitive internal communications, while integrity and availability could be affected through malicious command execution causing device malfunction or denial of service. Although the CVSS score indicates medium severity, the public disclosure of the exploit increases the urgency for mitigation. Organizations in Europe with limited IT security resources may be particularly vulnerable, as these routers are often deployed with default or weak configurations. Additionally, compromised routers could be leveraged as part of botnets or for launching further attacks against European infrastructure, amplifying the threat beyond individual devices.

1. Immediate firmware upgrade: Organizations should verify the firmware version of their Tenda AC20 devices and upgrade to a patched version once released by the vendor. Since no patch links are currently available, monitoring Tenda’s official channels for updates is critical. 2. Disable Telnet service: If firmware updates are not immediately available, disable the Telnet service on the router to eliminate the attack vector. 3. Network segmentation: Isolate vulnerable routers from critical internal networks to limit potential lateral movement in case of compromise. 4. Access control: Restrict remote management access to trusted IP addresses and use strong authentication mechanisms where possible. 5. Monitor network traffic: Implement intrusion detection systems to identify unusual command injection attempts or anomalous traffic patterns targeting the router. 6. Replace vulnerable hardware: For high-risk environments, consider replacing Tenda AC20 routers with devices from vendors with a stronger security track record and timely patch management. 7. User awareness: Educate users about the risks of using default credentials and the importance of keeping network devices updated.