CVE-2025-9806
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-02

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in Tenda F1202 1.2.0.9/1.2.0.14/1.2.0.20. Impacted is an unknown function of the file /etc_ro/shadow of the component Administrative Interface. This manipulation with the input Fireitup causes hard-coded credentials. The attack can only be executed locally. A high degree of complexity is needed for the attack. The exploitability is considered difficult. The exploit has been publicly disclosed and may be utilized.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-02
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-09-02
EPSS Evaluated
2026-06-14
NVD
CVE-2025-9806
EUVD
EUVD-2025-26370
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
tenda fh1202_firmware 1.2.0.9
tenda fh1202_firmware 1.2.0.14
tenda fh1202_firmware 1.2.0.20
tenda f1202 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-259 The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-9806 is a vulnerability in the Tenda F1202 router models running firmware versions 1.2.0.9, 1.2.0.14, and 1.2.0.20. It involves hard-coded credentials embedded in the device's firmware, specifically related to the file /etc_ro/shadow. The password "Fireitup" is hard-coded and stored using MD5-crypt hashing, which can be cracked easily with common password-cracking tools. This allows unauthorized root-level access to the device via the administrative interface or network-accessible services. Exploitation requires local access and a high degree of attack complexity. [1, 2]

Impact Analysis

This vulnerability can lead to unauthorized root-level access to the affected Tenda F1202 devices, compromising the confidentiality of the device. An attacker with local access can exploit the hard-coded password to gain administrative control, potentially allowing them to manipulate device settings, intercept or alter network traffic, or disrupt device operation. However, the attack is difficult to execute and requires local access with elevated privileges. [1, 2]

Detection Guidance

This vulnerability can be detected by checking for the presence of the hard-coded root password "Fireitup" in the /etc_ro/shadow file on the Tenda F1202 device running affected firmware versions (1.2.0.9, 1.2.0.14, 1.2.0.20). Since the password is stored as an MD5-crypt hash, tools like John the Ripper can be used to crack and verify the password hash. Commands to detect this could include extracting the /etc_ro/shadow file and running John the Ripper against it. For example: 1) Extract the shadow file from the device. 2) Run `john --format=md5crypt shadowfile` to attempt cracking the password. Additionally, monitoring for unauthorized root access attempts or checking for the presence of the hard-coded credentials in the firmware can help detect exploitation attempts. [1, 2]

Mitigation Strategies

Immediate mitigation steps include restricting local access to the affected Tenda F1202 devices to trusted personnel only, as the attack requires local access and a high degree of complexity. Since no known countermeasures or patches are published, it is recommended to consider replacing the affected device with an alternative model or vendor that does not have this vulnerability. Monitoring for unauthorized access attempts and disabling or limiting the administrative interface access can also help reduce risk. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9806. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart