Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2025-9090

CWE-74 CWE-77 — Command Injection4 documents4 sources

Severity

5.3MEDIUM

EPSS

2.7%

top 14.06%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Tenda Ac20 Tenda Ac20 Firmware

Timeline

PublishedAug 17

Latest updateAug 18

Description

A vulnerability was identified in Tenda AC20 16.03.08.12. Affected is the function websFormDefine of the file /goform/telnet of the component Telnet Service. The manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Packages2 packages

▶CVEListV5tenda/ac2016.03.08.12

▶NVDtenda/ac20_firmware16.03.08.12

🔴Vulnerability Details

GHSA

GHSA-x5w2-r7p8-rfh5: A vulnerability was identified in Tenda AC20 16↗2025-08-17

▶

CVEList

Tenda AC20 Telnet Service telnet websFormDefine command injection↗2025-08-17

▶

💥Exploits & PoCs

Exploit-DB

Tenda AC20 16.03.08.12 - Command Injection↗2025-08-18

▶