CRITICAL🇵🇱 Wersja polska

CVE-2025-44877

CVSS 9.8v3.1pub. 2025-05-02upd. 2025-05-27

Tenda AC9 V15.03.06.42_multi was found to contain a command injection vulnerability in the formSetSambaConf function via the usbname parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

🤖 AI Analysis
How it works

The vulnerability results from insufficient validation and sanitization of input data passed through the usbname parameter to the formSetSambaConf function. By sending a crafted network request containing a malicious payload, an attacker can inject and execute arbitrary system commands at the device level. The attack vector is network-based, requires no authentication or user interaction, making this vulnerability particularly dangerous.

Impact

An attacker can gain full control of the device by remotely executing arbitrary system commands, which may lead to violations of the device's and connected network's confidentiality, integrity, and availability.

Mitigation & patch

Apply patches available from the manufacturer according to the references. As a temporary measure, it is recommended to restrict access to the device management interface only to trusted IP addresses and isolate the device from the public Internet.

Who is affected

Tenda AC9 with firmware version V15.03.06.42_multi

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Tenda Ac9

    HW
    Tenda
    wszystkie wersje
  • Tenda Ac9 Firmware

    OS
    Tenda
    15.03.06.42_multi
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2018-14558CRITICAL9.8⚠ KEVten sam produkt

An issue was discovered on Tenda AC7 devices with firmware through V15.03.06.44_CN(AC7), AC9 devices with firm...

CVE-2025-45042CRITICAL9.8PL ✓ten sam produkt

Command injection w funkcji Telnet routera Tenda AC9

CVE-2025-44872CRITICAL9.8PL ✓ten sam produkt

Command injection w Tenda AC9 via parametr deviceName

CVE-2025-45427CRITICAL9.8PL ✓ten sam produkt

Tenda AC9 – stack overflow w WifiBasicSet umożliwia zdalny RCE

CVE-2025-45428CRITICAL9.8PL ✓ten sam produkt

Stack overflow w Tenda AC9 – RCE przez parametr rebootTime