CVE-2025-0528

CWE-74 CWE-77 — Command Injection CWE-78 — OS Command Injection CWE-502 — Deserialization of Untrusted Data4 documents4 sources

Severity

8.6HIGH

EPSS

0.9%

top 24.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tenda Ac10 Tenda Ac18 Tenda AC8 +3 more

Timeline

PublishedJan 17

Latest updateAug 20

Description

A vulnerability, which was classified as critical, has been found in Tenda AC8, AC10 and AC18 16.03.10.20. Affected by this issue is some unknown functionality of the file /goform/telnet of the component HTTP Request Handler. The manipulation leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages6 packages

▶CVEListV5tenda/ac1016.03.10.20

▶CVEListV5tenda/ac1816.03.10.20

▶NVDtenda/ac10_firmware16.03.10.20

▶NVDtenda/ac18_firmware16.03.10.20

▶CVEListV5tenda/ac816.03.10.20

🔴Vulnerability Details

CVEList

Tenda AC8/AC10/AC18 HTTP Request telnet command injection↗2025-01-17

▶

GHSA

GHSA-jj49-w25f-3wxj: A vulnerability, which was classified as critical, has been found in Tenda AC8, AC10 and AC18 16↗2025-01-17

▶

📋Vendor Advisories

Red Hat

vllm: quen3: RCE in vllm tool call parser for qwen3coder↗2025-08-20

▶