Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-10442

CVE-2025-10442: Tenda AC9 Firmware RCE Vulnerability

CVE-2025-10442 is a remote code execution vulnerability in Tenda AC9 and AC15 firmware that enables OS command injection through the formexeCommand function. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-10442 Overview

CVE-2025-10442 is an operating system command injection vulnerability affecting Tenda AC9 and AC15 wireless routers running firmware version 15.03.05.14. The flaw resides in the formexeCommand function within the /goform/exeCommand endpoint. Attackers can manipulate the cmdinput parameter to inject arbitrary operating system commands. Remote exploitation is possible over the network, and the exploit details have been publicly disclosed. The vulnerability is tracked under [CWE-77] (Improper Neutralization of Special Elements used in a Command).

Critical Impact

Authenticated remote attackers can execute arbitrary OS commands on affected Tenda AC9 and AC15 routers by sending crafted requests to the /goform/exeCommand endpoint.

Affected Products

  • Tenda AC9 router (hardware version 1.0)
  • Tenda AC9 firmware 15.03.05.14
  • Tenda AC15 router and firmware 15.03.05.14

Discovery Timeline

  • 2025-09-15 - CVE-2025-10442 published to NVD
  • 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-10442

Vulnerability Analysis

The vulnerability exists in the formexeCommand handler within the Tenda AC9 and AC15 web management interface. The handler processes requests sent to /goform/exeCommand and reads the cmdinput argument supplied by the client. Because the firmware fails to neutralize shell metacharacters in this parameter, the value is passed into a system command interpreter without sanitization. An attacker who can reach the router's web administration service can append additional commands to cmdinput and have them executed in the router's shell context. The EPSS score of 8.317% places this issue in the 94th percentile for predicted exploitation activity, indicating elevated likelihood of opportunistic abuse.

Root Cause

The root cause is improper neutralization of special elements used in an OS command [CWE-77]. The formexeCommand function concatenates the user-supplied cmdinput value into a command string and invokes it through a shell, with no allow-list, escaping, or input validation enforced on the parameter.

Attack Vector

The attack is network-reachable and requires low privileges on the router's web interface. An attacker sends an HTTP request to /goform/exeCommand containing a crafted cmdinput value that combines a benign command with shell separators such as ;, |, or backticks followed by attacker-chosen commands. The injected commands run with the privileges of the web server process on the embedded device. Public proof-of-concept details for this issue are referenced in the GitHub CVE Analysis and VulDB entry #323876.

Detection Methods for CVE-2025-10442

Indicators of Compromise

  • HTTP POST or GET requests targeting /goform/exeCommand on Tenda AC9 or AC15 management interfaces.
  • cmdinput parameter values containing shell metacharacters such as ;, &&, |, $(), or backticks.
  • Unexpected outbound connections from the router to attacker-controlled hosts following web interface activity.
  • New or modified processes on the router (where shell access is available) such as telnetd, wget, or nc.

Detection Strategies

  • Inspect web proxy and firewall logs for requests to /goform/exeCommand originating from untrusted networks.
  • Apply network intrusion detection signatures that flag command separators inside the cmdinput URL or body parameter.
  • Correlate router management traffic with outbound DNS or HTTP callbacks to non-corporate destinations.

Monitoring Recommendations

  • Restrict and log access to the router's HTTP/HTTPS administration interface, alerting on access from non-management subnets.
  • Forward router syslog data to a centralized logging platform and baseline normal /goform/* request volumes.
  • Monitor for unexpected configuration changes, new firewall rules, or DDNS updates on edge devices.

How to Mitigate CVE-2025-10442

Immediate Actions Required

  • Disable remote (WAN-side) administration on Tenda AC9 and AC15 devices and restrict LAN-side admin access to trusted hosts.
  • Change default and weak administrator credentials, since exploitation requires low-level authenticated access to the web interface.
  • Segment vulnerable consumer-grade routers away from production or sensitive networks pending vendor remediation.
  • Audit affected devices running firmware 15.03.05.14 and prioritize replacement or isolation if no patch is available.

Patch Information

At the time of publication, no vendor advisory or fixed firmware release has been associated with CVE-2025-10442 in the NVD record. Monitor the Tenda official website for updated firmware releases addressing the formexeCommand handler in AC9 and AC15 products.

Workarounds

  • Block external access to TCP ports 80 and 443 on the router's WAN interface using upstream firewall rules.
  • Place affected routers behind a network firewall that filters requests containing shell metacharacters in cmdinput.
  • Replace end-of-support Tenda AC9 and AC15 hardware with currently supported models that receive security updates.
bash
# Example upstream firewall rule to block WAN access to the vulnerable endpoint
iptables -A FORWARD -p tcp --dport 80 -d <router_wan_ip> \
  -m string --algo bm --string "/goform/exeCommand" -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne