CVE-2025-44866

CVSS v3.1

6.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions Tenda W20E version 15.11.0.6

Description A command injection issue was found in the formSetDebugCfg function through the level parameter. This issue allows attackers to execute arbitrary commands via a manipulated request.

Recommendations For Tenda W20E version 15.11.0.6, consider disabling the formSetDebugCfg function until a patch is available to prevent exploitation via the level parameter. Restrict access to this function to minimize the risk of arbitrary command execution. Avoid using the level parameter in the affected API endpoint until the issue is resolved.

Exploit

Fix

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77

Related Identifiers

CVE-2025-44866

Affected Products

Tenda W20E

CVE-2025-44866

Weakness Enumeration

Related Identifiers

Affected Products

References · 5