CVE-2025-25675

Name of the Vulnerable Software and Affected Versions Tenda AC10 V1.0 V15.03.06.23

Description The issue is related to a command injection vulnerability located in the formexeCommand function. The str variable receives the cmdinput parameter from a POST request and is later assigned to the cmd buf variable, which is directly used in the doSystemCmd function, causing an arbitrary command execution.

Recommendations For Tenda AC10 V1.0 V15.03.06.23, as a temporary workaround, consider disabling the formexeCommand function until a patch is available. Restrict access to the doSystemCmd function to minimize the risk of exploitation. Avoid using the cmdinput parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.