CVE-2025-9090 is a command injection vulnerability found in the Tenda AC20 router, specifically in version 16.03.08.12. The flaw exists in the Telnet Service component, within the function websFormDefine located in the /goform/telnet endpoint. This vulnerability allows an attacker to remotely execute arbitrary commands on the affected device without requiring user interaction or authentication. The vulnerability arises due to improper input validation or sanitization in the Telnet service's web interface, enabling malicious input to be interpreted as system commands. Although the CVSS 4.0 score is rated medium (5.3), the attack vector is network-based with low complexity and no privileges or user interaction required, increasing the risk of exploitation. The exploit has been publicly disclosed, which raises the likelihood of attackers developing and deploying exploit code. However, there are no known active exploits in the wild at this time. The vulnerability impacts the confidentiality, integrity, and availability of the device, as attackers could execute arbitrary commands, potentially leading to device takeover, network pivoting, or denial of service. The lack of available patches or mitigation details from the vendor at the time of disclosure further complicates defense efforts.

For European organizations using the Tenda AC20 router version 16.03.08.12, this vulnerability poses a significant risk. Compromise of these routers could lead to unauthorized access to internal networks, interception or manipulation of traffic, and disruption of network services. Small and medium enterprises or home offices relying on this router model may be particularly vulnerable due to limited IT security resources. The ability to remotely execute commands without authentication means attackers can potentially establish persistent footholds or launch further attacks against connected systems. Given the widespread use of Tenda routers in residential and small business environments across Europe, exploitation could lead to large-scale privacy breaches and operational disruptions. Additionally, critical infrastructure or organizations with less stringent network segmentation could face escalated risks, including lateral movement and data exfiltration. The public disclosure of the exploit increases the urgency for mitigation to prevent opportunistic attacks.

1. Immediate network-level controls: Block or restrict access to the Telnet service and the /goform/telnet endpoint from untrusted networks, especially the internet. 2. Disable Telnet service on the Tenda AC20 router if not required, as Telnet is an insecure protocol and a common attack vector. 3. Monitor network traffic for unusual or unauthorized access attempts targeting the router's management interfaces. 4. Implement network segmentation to isolate vulnerable devices from critical systems and sensitive data. 5. Regularly audit and inventory router firmware versions to identify and prioritize vulnerable devices. 6. Engage with Tenda support channels to obtain firmware updates or patches addressing this vulnerability; if unavailable, consider replacing affected devices with models that have active security support. 7. Employ intrusion detection/prevention systems (IDS/IPS) tuned to detect command injection attempts or unusual Telnet activity. 8. Educate users and administrators about the risks of exposed management interfaces and the importance of secure configuration practices.