CVE-2025-9806
BaseFortify
Publication date: 2025-09-02
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | fh1202_firmware | 1.2.0.9 |
| tenda | fh1202_firmware | 1.2.0.14 |
| tenda | fh1202_firmware | 1.2.0.20 |
| tenda | f1202 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-259 | The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. |
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9806 is a vulnerability in the Tenda F1202 router models running firmware versions 1.2.0.9, 1.2.0.14, and 1.2.0.20. It involves hard-coded credentials embedded in the device's firmware, specifically related to the file /etc_ro/shadow. The password "Fireitup" is hard-coded and stored using MD5-crypt hashing, which can be cracked easily with common password-cracking tools. This allows unauthorized root-level access to the device via the administrative interface or network-accessible services. Exploitation requires local access and a high degree of attack complexity. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized root-level access to the affected Tenda F1202 devices, compromising the confidentiality of the device. An attacker with local access can exploit the hard-coded password to gain administrative control, potentially allowing them to manipulate device settings, intercept or alter network traffic, or disrupt device operation. However, the attack is difficult to execute and requires local access with elevated privileges. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the hard-coded root password "Fireitup" in the /etc_ro/shadow file on the Tenda F1202 device running affected firmware versions (1.2.0.9, 1.2.0.14, 1.2.0.20). Since the password is stored as an MD5-crypt hash, tools like John the Ripper can be used to crack and verify the password hash. Commands to detect this could include extracting the /etc_ro/shadow file and running John the Ripper against it. For example: 1) Extract the shadow file from the device. 2) Run `john --format=md5crypt shadowfile` to attempt cracking the password. Additionally, monitoring for unauthorized root access attempts or checking for the presence of the hard-coded credentials in the firmware can help detect exploitation attempts. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting local access to the affected Tenda F1202 devices to trusted personnel only, as the attack requires local access and a high degree of complexity. Since no known countermeasures or patches are published, it is recommended to consider replacing the affected device with an alternative model or vendor that does not have this vulnerability. Monitoring for unauthorized access attempts and disabling or limiting the administrative interface access can also help reduce risk. [2]