CVE Alert: CVE-2025-11523 – Tenda – AC7
CVE-2025-11523
A vulnerability was detected in Tenda AC7 15.03.06.44. This vulnerability affects unknown code of the file /goform/AdvSetLanip. The manipulation of the argument lanIp results in command injection. It is possible to launch the attack remotely. The exploit is now public and may be used.
AI Summary Analysis
Risk verdict
Remote command-injection with a public PoC exists, requiring only low-privilege access; exploitation can be triggered over the network, so treat as a priority 2 risk.
Why this matters
Successful exploitation could allow arbitrary commands on the device, enabling changes to routing, firewall rules, or DNS and potentially enabling access to the internal network. The combination of remote capability and publicly available exploit increases the chance of rapid weaponisation, particularly where the admin interface is reachable from the internet.
Most likely attack path
Attackers would target the vulnerable AdvSetLanip endpoint over the network, supplying a crafted lanIp value to achieve injection. No UI interaction is required and low-privilege access is sufficient, so a compromised or misconfigured device with WAN-facing admin access is highly attractive. Lateral movement within the LAN may follow if the attacker can alter routing or DNS, subject to device permissions and existing network protections.
Who is most exposed
Devices deployed with internet-facing administrative access or weak firmware management are most at risk, notably consumers and small offices with exposed routers and delayed updates.
Detection ideas
- Look for anomalous HTTP requests to /goform/AdvSetLanip containing unusual lanIp payloads.
- Unexplained changes to routing, DNS, or firewall configuration in device logs.
- CPU/memory spikes on the device after submission of such requests.
- Repeated failed or unusual admin-access attempts from diverse sources.
- Sudden outbound connections or new network hosts observed from the device.
Mitigation and prioritisation
- Apply the vendor patch to the fixed firmware version; verify firmware integrity and enable automatic updates where possible.
- If patching is slow, disable WAN-facing admin access and restrict to trusted LANs; enforce strong authentication.
- Implement network segmentation and monitor for DNS/route alterations and unexpected traffic from the device.
- Schedule a change window for firmware deployment and perform post-patch validation.
- Treat as priority 2 given public PoC and remote access, with ongoing monitoring for exploit activity.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
