CVE-2025-10442

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Tenda AC9 version 15.03.05.14 Tenda AC15 version 15.03.05.14

Description A vulnerability exists due to the manipulation of the cmdinput argument in the formexeCommand function within the /goform/exeCommand file, leading to OS command injection. Remote exploitation is possible. The exploit has been publicly disclosed.

Recommendations For Tenda AC9 version 15.03.05.14, address the vulnerability by patching the formexeCommand function in the /goform/exeCommand file to properly sanitize the cmdinput argument. For Tenda AC15 version 15.03.05.14, address the vulnerability by patching the formexeCommand function in the /goform/exeCommand file to properly sanitize the cmdinput argument.

Exploit

Fix

Command Injection

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77CWE-78

Related Identifiers

BDU:2025-12452

CVE-2025-10442

Affected Products

Tenda Ac15

Tenda Ac9

CVE-2025-10442

Weakness Enumeration

Related Identifiers

Affected Products

References · 14