CVE-2025-9091 is a vulnerability identified in the Tenda AC20 router firmware version 16.03.08.12. The flaw involves hard-coded credentials embedded within an unknown functionality related to the file /etc_ro/shadow. This file typically contains password hashes or authentication data in Unix-like systems, and the presence of hard-coded credentials implies that attackers with local access to the device could potentially authenticate using these fixed credentials. The attack vector requires local host access, meaning an attacker must already have some level of access to the device or network to exploit this vulnerability. The complexity of exploitation is rated as high, indicating that it is not trivial to execute the attack, and no user interaction is needed. The CVSS 4.0 base score is 2, which is low severity, reflecting limited impact and difficulty in exploitation. The vulnerability does not affect confidentiality, integrity, or availability significantly, and it requires at least low privileges on the device to attempt exploitation. No known exploits are currently active in the wild, and no patches have been linked or published yet. The public disclosure of the exploit increases the risk that attackers may attempt to leverage this vulnerability, especially in environments where the Tenda AC20 router is deployed and local access can be gained.

For European organizations, the impact of this vulnerability is relatively limited due to the low severity and the requirement for local access. However, in environments where Tenda AC20 routers are used, particularly in small to medium enterprises or home office setups, an attacker who gains local network access or physical access to the device could leverage the hard-coded credentials to escalate privileges or maintain persistence. This could lead to unauthorized configuration changes, interception of network traffic, or pivoting to other internal systems. Given the low CVSS score and high exploitation complexity, the risk to large enterprise networks with robust perimeter defenses is minimal. Nonetheless, organizations with remote or distributed offices using these devices should be aware of the potential for lateral movement within their networks if an attacker compromises a local segment. The lack of a patch means the vulnerability remains exploitable until addressed by the vendor, increasing the window of exposure.

European organizations should implement network segmentation to limit local access to Tenda AC20 devices, ensuring that only trusted administrators and systems can communicate with the router's management interface. Physical security controls should be enforced to prevent unauthorized physical access to the devices. Monitoring network traffic for unusual authentication attempts or configuration changes on these routers can help detect exploitation attempts. Organizations should consider replacing or upgrading affected devices to newer firmware versions once patches become available or migrating to alternative hardware with better security postures. Additionally, disabling any unnecessary services or management interfaces on the router can reduce the attack surface. Regular audits of device configurations and credentials should be conducted to identify and remediate any use of default or hard-coded credentials.