CVE-2025-9309 is a vulnerability identified in the Tenda AC10 router firmware version 16.03.10.13. The flaw involves hard-coded credentials embedded within an unknown function related to the /etc_ro/shadow file, specifically within the component handling MD5 hashes. This vulnerability allows an attacker with local access to the device to potentially leverage these hard-coded credentials to gain unauthorized access or escalate privileges. The attack complexity is high, requiring local access and advanced manipulation skills, and no user interaction is needed. The exploitability is considered difficult, and while an exploit has been publicly disclosed, there are no known exploits actively used in the wild. The CVSS 4.0 base score is 2, indicating a low severity primarily due to the requirement for local access, high attack complexity, and limited impact on confidentiality, integrity, and availability. The vulnerability does not require authentication but does require local access, limiting the attack surface to individuals who can physically or logically access the device's local environment. The hard-coded credentials pose a risk of unauthorized access if an attacker can reach the device locally, potentially compromising device configuration or network security.

For European organizations, the impact of CVE-2025-9309 is relatively limited due to the low severity and the requirement for local access. However, in environments where Tenda AC10 routers are deployed in sensitive or critical network segments, such as small office/home office (SOHO) setups or branch offices, an attacker with physical or local network access could exploit this vulnerability to gain unauthorized control over the device. This could lead to network misconfigurations, interception of network traffic, or pivoting to other internal systems. The risk is higher in organizations with less stringent physical security or where remote local access (e.g., via compromised internal hosts) is possible. Given the low CVSS score and lack of known active exploitation, the immediate threat is low, but the presence of hard-coded credentials is a poor security practice that could be leveraged in targeted attacks or combined with other vulnerabilities to escalate impact.

To mitigate this vulnerability, European organizations using Tenda AC10 routers should: 1) Immediately check for firmware updates or patches from Tenda addressing this issue; if none are available, consider contacting the vendor for guidance or timelines. 2) Restrict physical and local network access to devices, ensuring only authorized personnel can connect directly to the router. 3) Implement network segmentation to isolate vulnerable devices from critical network assets, reducing the risk of lateral movement. 4) Monitor network traffic and device logs for unusual access patterns or authentication attempts that could indicate exploitation attempts. 5) Where feasible, replace affected devices with models that do not contain hard-coded credentials or have better security postures. 6) Employ strong network access controls and endpoint security to prevent attackers from gaining local access to the device environment. These steps go beyond generic advice by focusing on access control, network architecture, and vendor engagement specific to this vulnerability's characteristics.