CVE-2025-25675
published 2025-02-20CVE-2025-25675: Tenda AC10 V1.0 V15.03.06.23 has a command injection vulnerablility located in the formexeCommand function. The str variable receives the cmdinput parameter…
critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
Tenda AC10 V1.0 V15.03.06.23 has a command injection vulnerablility located in the formexeCommand function. The str variable receives the cmdinput parameter from a POST request and is later assigned to the cmd_buf variable, which is directly used in the doSystemCmd function, causing an arbitrary command execution.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | azl3_tensorflow_2.11.1-1_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_tensorflow_2.11.1-1_on_cbl_mariner_2.0 | — | — |
| tenda | ac10_firmware | — | — |