CVE-2025-57296

Name of the Vulnerable Software and Affected Versions Tenda AC6 router firmware version 15.03.05.19

Description The Tenda AC6 router firmware contains a command injection issue in the formSetIptv function. This function handles requests to the /goform/SetIPTVCfg web interface. The list and vlanId parameters are processed by the sub ADBC0 helper function, which concatenates these values into commands executed by doSystemCmd without proper validation. This allows an unauthenticated or authenticated attacker to execute arbitrary system commands on the device by submitting a crafted POST request.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.