CVE-2025-0528

Name of the Vulnerable Software and Affected Versions Tenda AC8 versions 16.03.10.20 Tenda AC10 versions 16.03.10.20 Tenda AC18 versions 16.03.10.20

Description A critical issue has been found in the HTTP Request Handler component of the affected devices, specifically in the /goform/telnet file. This issue leads to command injection and can be exploited remotely. The problem is related to the lack of data sanitization on the management level of the telnetd daemon, allowing an attacker to execute arbitrary commands. The exploit for this issue has been publicly disclosed.

Recommendations For Tenda AC8 version 16.03.10.20, consider disabling the /goform/telnet endpoint until a patch is available. For Tenda AC10 version 16.03.10.20, restrict access to the HTTP Request Handler component to minimize the risk of exploitation. For Tenda AC18 version 16.03.10.20, avoid using the telnetd daemon until the issue is resolved. As a temporary workaround, consider disabling the telnetd daemon on all affected devices until a patch is available.