CVE-2025-14286
BaseFortify
Publication date: 2025-12-09
Last updated on: 2025-12-11
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | ac9 | 15.03.05.14_multi |
| tenda | ac9_firmware | 15.03.05.14_multi |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability causes unauthorized disclosure of sensitive configuration information, including wireless network passwords and administrator password hashes, which can lead to a breach of confidentiality. Such information disclosure could negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive information and ensuring confidentiality. However, specific impacts on compliance are not detailed in the provided resources. [1, 2]
Can you explain this vulnerability to me?
This vulnerability exists in the Tenda AC9 router firmware version 15.03.05.14_multi, specifically in an unknown functionality of the /cgi-bin/DownloadCfg.jpg file within the Configuration File Handler component. It allows an attacker to remotely manipulate this functionality to cause information disclosure.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of sensitive information from the affected device. Since the attack can be initiated remotely without authentication, it poses a risk of exposing confidential configuration data to attackers, potentially compromising network security.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the URL path /cgi-bin/DownloadCfg.jpg on the Tenda AC9 router running firmware version 15.03.05.14_multi. If the configuration file is accessible without authentication, it indicates the presence of the vulnerability. A simple command to test this from a system on the network would be: curl http://<router-ip>/cgi-bin/DownloadCfg.jpg. If the response contains sensitive configuration data such as wireless passwords or admin password hashes, the device is vulnerable. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying restrictive firewall rules to block unauthorized remote access to the /cgi-bin/DownloadCfg.jpg endpoint on the affected router. This prevents attackers from exploiting the vulnerability remotely. Additionally, monitoring network traffic for unauthorized access attempts to this endpoint is recommended. Ultimately, updating the router firmware to a version that patches this vulnerability, if available, is advised. [2]