CVE Alert: CVE-2025-10443 - Tenda - AC9

CVE-2025-10443

HIGHNo exploitation knownPoC observed

A vulnerability was identified in Tenda AC9 and AC15 15.03.05.14/15.03.05.18. This vulnerability affects the function formexeCommand of the file /goform/exeCommand. Such manipulation of the argument cmdinput leads to buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used.

CVSS v3.1 (8.8)

Vendor

Tenda, Tenda

Product

AC9, AC15

Versions

15.03.05.14 | 15.03.05.18 | 15.03.05.14 | 15.03.05.18

CWE

CWE-120, Buffer Overflow

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R

Published

2025-09-15T11:32:07.435Z

Updated

2025-09-15T11:40:44.495Z

References

https://vuldb.com/?id.323877

https://vuldb.com/?ctiid.323877

https://vuldb.com/?submit.647840

https://github.com/2664521593/mycve/blob/main/Tenda/Tenda_AC15_AC9_Bof.md

https://github.com/2664521593/mycve/blob/main/Tenda/Tenda_AC15_AC9_Bof.md#poc

https://www.tenda.com.cn/

AI Summary Analysis

Risk verdict

High risk of remote code execution on Tenda AC9/AC15 due to a buffer overflow in formexeCommand; a public PoC exists enabling network-based exploitation.

Why this matters

Compromise of the router could give an attacker full control of the device, with potential traffic interception, credential capture, and lateral movement into connected networks. In dense deployments, widespread exploitation could disrupt services, degrade customer experience, and enable further intrusions into downstream devices.

Most likely attack path

Exploitation would be delivered over the network to the /goform/exeCommand endpoint with crafted cmdinput. The vulnerability offers high impact (C/I/A) and is exploitable without user interaction, requiring only network access and low privileges. This supports rapid, automated targeting of exposed devices and potential immediate post-exploitation control and persistence within the device’s environment.

Who is most exposed

Common in home and small-office deployments where WAN management interfaces are reachable from the internet or misconfigured, and where firmware updates are infrequent. Consumer-grade routers like Tenda AC9/AC15 are popular in SMBs and households, increasing blast radius if not updated.

Detection ideas

Look for repeated, unusual /goform/exeCommand requests with long or crafted cmdinput.
Detect device reboots, crashes, or memory corruption indicators in logs.
Monitor for atypical outbound connections or data patterns from the router.
IDS/IPS alerts matching known PoC patterns or overflow signatures.
Unexpected new processes or core dumps on the device.

Mitigation and prioritisation

Update to patched firmware as soon as vendor releases it; verify integrity before deployment.
If patching is not immediately possible, disable or tightly restrict remote/WAN admin access; apply strict firewall rules to block external administration.
Enforce network segmentation and isolate affected devices from sensitive networks; restrict admin exposure to LAN only.
Review credentials and disable unnecessary services; enable automatic updates if available.
Plan a device replacement or upgrade for discontinued support; document a change-management timeline.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: ac15, ac9, CVE, cve-2025-10443, OSINT, tenda, threatintel