CRITICAL🇵🇱 Wersja polska

CVE-2025-45042

CVSS 9.8v3.1pub. 2025-05-05upd. 2025-05-07

Tenda AC9 v15.03.05.14 was discovered to contain a command injection vulnerability via the Telnet function.

🤖 AI Analysis
How it works

The vulnerability results from improper validation of input data passed to the Telnet function in the device firmware (CWE-77, CWE-78). An attacker can construct a specially crafted request containing malicious system commands, which will be executed by the device's command interpreter without proper filtering. The attack does not require authentication or any user interaction and can be conducted remotely over the network.

Impact

Successful exploitation of the vulnerability allows an attacker to take full control of the device — they can read and modify configuration data, change network settings, and use the router as an entry point for further lateral movement in the local network.

Mitigation & patch

Apply patches available from the manufacturer according to the references. Until an update is released, it is recommended to disable the Telnet function on the device and restrict access to the administration panel exclusively to trusted hosts through network segmentation or firewall rules.

Who is affected

Tenda AC9 with firmware version v15.03.05.14

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Tenda Ac9

    HW
    Tenda
    1.0
  • Tenda Ac9 Firmware

    OS
    Tenda
    15.03.05.14
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Command Injection
CWE
References

Related vulnerabilities

CVE-2018-14558CRITICAL9.8⚠ KEVten sam produkt

An issue was discovered on Tenda AC7 devices with firmware through V15.03.06.44_CN(AC7), AC9 devices with firm...

CVE-2025-44872CRITICAL9.8PL ✓ten sam produkt

Command injection w Tenda AC9 via parametr deviceName

CVE-2025-44877CRITICAL9.8PL ✓ten sam produkt

Command injection w Tenda AC9 — funkcja formSetSambaConf (parametr usbname)

CVE-2025-45427CRITICAL9.8PL ✓ten sam produkt

Tenda AC9 – stack overflow w WifiBasicSet umożliwia zdalny RCE

CVE-2025-45428CRITICAL9.8PL ✓ten sam produkt

Stack overflow w Tenda AC9 – RCE przez parametr rebootTime