CVE-2025-5836
BaseFortify
Publication date: 2025-06-07
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | ac9_firmware | 15.03.2.13 |
| tenda | ac9 | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a command injection flaw in the Tenda AC9 router firmware version 15.03.02.13. It exists in the formSetIptv function of the POST request handler at the /goform/SetIPTVCfg endpoint. The issue arises because the 'list' parameter is not properly sanitized before being passed to a function that executes commands. This allows an attacker to inject arbitrary commands remotely without authentication, potentially taking control of the device. [1, 2]
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to unauthorized command execution on the affected router, impacting the confidentiality, integrity, and availability of the device. An attacker can remotely execute arbitrary commands without authentication, potentially taking full control of the device, disrupting network services, stealing data, or using the device as a foothold for further attacks. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint /goform/SetIPTVCfg, specifically those containing the 'list' parameter with unusual or command injection patterns. Network intrusion detection systems (NIDS) can be configured to alert on POST requests to this endpoint. Additionally, inspecting device logs for unexpected command executions or anomalies related to IPTV configuration changes may help. Since the vulnerability involves command injection via the 'list' parameter, commands such as curl or wget can be used to test the endpoint by sending crafted POST requests with payloads attempting command injection. For example, a test command might be: curl -X POST http://<device-ip>/goform/SetIPTVCfg -d "list=;id" to check if command output is reflected or causes unexpected behavior. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting network access to the vulnerable device, especially blocking remote access to the /goform/SetIPTVCfg endpoint. Since no known countermeasures or patches currently exist, it is recommended to replace the affected Tenda AC9 router running firmware version 15.03.02.13 with a non-vulnerable device. Additionally, monitoring for exploitation attempts and isolating the device from critical networks can reduce risk until replacement is possible. [2]