Login Sign Up

CVE-2022-25427

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Tenda AC9 routers via a stack overflow in the openSchedWifi function. Attackers can exploit this by sending specially crafted requests to the schedendtime parameter, potentially gaining full control of affected devices. This affects all users running vulnerable firmware versions.

💻 Affected Systems

Products:
  • Tenda AC9
Versions: v15.03.2.21
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: All devices running this specific firmware version are vulnerable by default.

📦 What is this software?

Ac9 Firmware by Tenda

View all CVEs affecting Ac9 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, network traffic interception, credential theft, and use as a pivot point for attacking other internal systems.

🟠

Likely Case

Remote code execution allowing attackers to modify router settings, intercept traffic, or use the device as part of a botnet.

🟢

If Mitigated

Limited impact if network segmentation prevents lateral movement and external access is restricted.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, making them directly accessible to attackers.
🏢 Internal Only: MEDIUM - If external access is blocked, risk is reduced but still present from compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept code exists in GitHub repositories, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Tenda website for latest firmware

Vendor Advisory: https://www.tendacn.com/en/

Restart Required: Yes

Instructions:

1. Visit Tenda support website. 2. Download latest firmware for AC9. 3. Log into router admin interface. 4. Navigate to System Tools > Firmware Upgrade. 5. Upload and install new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable remote administration

all

Prevents external attackers from accessing vulnerable interface

Network segmentation

all

Isolate router management interface from untrusted networks

🧯 If You Can't Patch

  • Replace vulnerable device with patched alternative
  • Implement strict firewall rules blocking all external access to router management interface

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin interface under System Status or System Tools

Check Version:

Login to router web interface and check System Status page

Verify Fix Applied:

Confirm firmware version is newer than v15.03.2.21 after patching

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP POST requests to router management interface
  • Multiple failed exploit attempts
  • Unexpected configuration changes

Network Indicators:

  • Unusual outbound connections from router
  • Traffic patterns suggesting command and control communication

SIEM Query:

source="router_logs" AND (uri="*/goform/openSchedWifi" OR uri="*/goform/*") AND method="POST"

📊 Metadata

CVE ID: CVE-2022-25427
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: March 18, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-25427, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)