CVE-2025-9091
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-17

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in Tenda AC20 16.03.08.12. Affected by this vulnerability is an unknown functionality of the file /etc_ro/shadow. The manipulation leads to hard-coded credentials. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-17
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2025-08-17
EPSS Evaluated
2026-05-05
NVD
CVE-2025-9091
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
tenda ac20_firmware 16.03.08.12
tenda ac20 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-259 The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability involves hard-coded credentials in the Tenda AC20 router firmware version 16.03.08.12. Specifically, the root user's password is embedded as an MD5-crypt hash in the /etc_ro/shadow file. Attackers with local access can extract this hash, use password-cracking tools to recover the plaintext password, and gain unauthorized root-level access to the device. The flaw arises from embedding a fixed root password in the firmware, making it susceptible to compromise through hash extraction and cracking. [1, 2]


How can this vulnerability impact me? :

The vulnerability can lead to unauthorized root-level access to the affected Tenda AC20 router, compromising the confidentiality of the device. An attacker with local access can extract and crack the hard-coded root password, potentially allowing them to control the router, access sensitive information, or disrupt network operations. Exploitation is difficult and requires local access, but a public proof-of-concept exploit exists. There are no known mitigations other than replacing the affected device. [1, 2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by analyzing the firmware of the Tenda AC20 router version 16.03.08.12 to check for the presence of a hardcoded root password hash in the /etc_ro/shadow file. Since exploitation requires local access, detection involves accessing the device's filesystem and inspecting the /etc_ro/shadow file for the embedded MD5-crypt hash. Commands to extract and inspect the hash could include mounting the firmware image and using grep or cat to view the /etc_ro/shadow file. For example, after gaining local shell access, you could run: `cat /etc_ro/shadow` to check for hardcoded password hashes. Additionally, password-cracking tools can be used on the extracted hash to verify if it corresponds to a known hardcoded password. [1, 2]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include replacing the affected Tenda AC20 router running firmware version 16.03.08.12 with an alternative product, as no known patches or countermeasures are available. Since the vulnerability involves hardcoded credentials that cannot be changed, the recommended action is to discontinue use of the vulnerable device to avoid risk of unauthorized root access. [2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart