CVE-2025-24496 Overview
CVE-2025-24496 is an information disclosure vulnerability in the /goform/getproductInfo functionality of the Tenda AC6 V5.0 router running firmware version V02.03.01.110. An unauthenticated remote attacker can send specially crafted network packets to this endpoint and retrieve sensitive product information from the device. The flaw is classified under CWE-288: Authentication Bypass Using an Alternate Path or Channel. The vulnerability requires no privileges or user interaction, making it accessible to any attacker with network reachability to the router's management interface.
Critical Impact
Unauthenticated remote attackers can extract sensitive product information from affected Tenda AC6 V5 routers by sending crafted HTTP requests to the /goform/getproductInfo endpoint.
Affected Products
- Tenda AC6 hardware version 5.0
- Tenda AC6 firmware version V02.03.01.110
- Devices exposing the web management interface to untrusted networks
Discovery Timeline
- 2025-08-20 - CVE-2025-24496 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2025-24496
Vulnerability Analysis
The vulnerability resides in the /goform/getproductInfo handler exposed by the Tenda AC6 V5 web management interface. The endpoint processes network requests and returns product information without enforcing proper authentication checks. An attacker sending crafted packets to this URI receives sensitive details about the device. Because the endpoint is reachable over the network and bypasses the expected authentication path, any attacker with access to the device's management interface can query it.
The weakness is tracked as [CWE-288], which covers cases where an authentication mechanism can be sidestepped through an alternate path. In this case, the alternate path is the unauthenticated goform handler itself.
Root Cause
The root cause is missing authentication on the /goform/getproductInfo route. The Tenda firmware fails to validate session credentials before responding with product information. Many embedded goform handlers in Tenda devices follow a pattern of registering URI endpoints directly into the httpd binary, and any handler that omits authentication checks becomes a direct disclosure primitive.
Attack Vector
Exploitation requires only network access to the router's HTTP management interface. An attacker issues an HTTP request to /goform/getproductInfo and parses the response, which contains sensitive product details. No credentials, user interaction, or prior foothold are required. While the management interface is typically LAN-only by default, devices configured for remote administration, or those reachable through other compromised internal hosts, are directly exposed.
No verified public proof-of-concept code is available. Technical details are documented in the Talos Intelligence Vulnerability Report TALOS-2025-2164.
Detection Methods for CVE-2025-24496
Indicators of Compromise
- HTTP requests to the URI path /goform/getproductInfo originating from unexpected internal or external sources
- Unauthenticated GET or POST requests to /goform/* endpoints on Tenda AC6 devices
- Outbound responses from the router containing product metadata to unauthorized clients
Detection Strategies
- Inspect web and network logs from any reverse proxy, firewall, or IDS in front of the router for requests to /goform/getproductInfo
- Deploy IDS/IPS signatures matching the URI string getproductInfo in HTTP traffic toward router management interfaces
- Correlate reconnaissance against router IP addresses with subsequent activity targeting internal hosts
Monitoring Recommendations
- Monitor HTTP traffic to embedded device management interfaces and alert on unauthenticated access patterns
- Track repeated probing of /goform/ endpoints, which is characteristic of Tenda-targeted reconnaissance
- Log and review WAN-side connection attempts to TCP/80 and TCP/443 on consumer-grade routers
How to Mitigate CVE-2025-24496
Immediate Actions Required
- Disable remote (WAN-side) management on Tenda AC6 V5 devices to limit exposure to LAN-only access
- Restrict access to the router's management interface using firewall rules or VLAN segmentation
- Audit all Tenda AC6 V5 deployments for firmware version V02.03.01.110 and inventory exposed devices
- Replace end-of-life or unsupported Tenda AC6 hardware where vendor patches are unavailable
Patch Information
At the time of publication, no vendor advisory or fixed firmware version has been linked in the NVD entry for CVE-2025-24496. Administrators should monitor the Tenda security portal and the Talos Intelligence Vulnerability Report TALOS-2025-2164 for patch availability.
Workarounds
- Block external access to TCP/80 and TCP/443 on the router's WAN interface
- Place the router's management interface on a dedicated administrative VLAN accessible only from trusted hosts
- Use upstream firewall rules to drop inbound HTTP requests containing the /goform/getproductInfo URI
- Replace affected devices with vendor-supported hardware that receives current security updates
# Example iptables rule to block external access to the router management interface
iptables -A INPUT -i wan0 -p tcp --dport 80 -j DROP
iptables -A INPUT -i wan0 -p tcp --dport 443 -j DROP
# Example upstream filter dropping requests to the vulnerable endpoint
iptables -A FORWARD -p tcp --dport 80 \
-m string --string "/goform/getproductInfo" --algo bm -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
