CVE-2025-22949 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2025-22949?

CVE-2025-22949 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary commands on Tenda AC9 routers by injecting malicious commands into the SetSambaCfg form. Attackers can gain full control of affected devices, potentially compromising network security. All users running the vulnerable firmware version are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on Tenda AC9 routers by injecting malicious commands into the SetSambaCfg form. Attackers can gain full control of affected devices, potentially compromising network security. All users running the vulnerable firmware version are affected.

💻 Affected Systems

Products:

Tenda AC9

Versions: v1.0 firmware v15.03.05.19

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the specific firmware version only. Other AC9 models or firmware versions may not be vulnerable.

📦 What is this software?

Ac9 Firmware by Tenda

View all CVEs affecting Ac9 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover leading to persistent backdoor installation, network traffic interception, lateral movement to other devices, and botnet recruitment.

🟠

Likely Case

Router compromise allowing attackers to modify DNS settings, intercept credentials, deploy malware to connected devices, and use the router for DDoS attacks.

🟢

If Mitigated

Limited impact with proper network segmentation, firewall rules blocking external access to router admin interface, and regular monitoring.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, and the exploit requires no authentication, making them prime targets for automated attacks.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they gain network access, but external exploitation is more likely.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is in a web form handler that doesn't properly sanitize user input before passing it to system commands. Public technical details exist, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Tenda's official website for firmware updates. 2. If available, download the latest firmware for AC9 v1.0. 3. Log into router admin interface. 4. Navigate to System Tools > Firmware Upgrade. 5. Upload and install the new firmware. 6. Reboot the router.

🔧 Temporary Workarounds

Disable Samba Service

all

Disable the vulnerable Samba configuration interface to prevent exploitation

Login to router admin interface
Navigate to Advanced > USB Sharing
Disable Samba sharing if enabled

Restrict Admin Interface Access

linux

Block external access to router admin interface using firewall rules

iptables -A INPUT -p tcp --dport 80 -s ! 192.168.1.0/24 -j DROP
iptables -A INPUT -p tcp --dport 443 -s ! 192.168.1.0/24 -j DROP

🧯 If You Can't Patch

Replace the router with a different model that receives security updates
Place the router behind a dedicated firewall that blocks all external access to its management interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under System Status or System Tools > Firmware Upgrade. If version is exactly 15.03.05.19 for AC9 v1.0, the device is vulnerable.

Check Version:

curl -s http://router-ip/goform/getStatus | grep version or check web interface

Verify Fix Applied:

After updating firmware, verify the version has changed from 15.03.05.19. Test if the /goform/SetSambaCfg endpoint still accepts command injection.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /goform/SetSambaCfg
Commands with shell metacharacters in web logs
Unexpected system processes spawned from web server

Network Indicators:

HTTP POST requests to /goform/SetSambaCfg containing pipe characters, semicolons, or backticks
Outbound connections from router to suspicious IPs

SIEM Query:

source="router-logs" AND uri_path="/goform/SetSambaCfg" AND (request_body="*;*" OR request_body="*|*" OR request_body="*`*")

📊 Metadata

CVE ID: CVE-2025-22949

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

EPSS Score: 4.65% exploit probability (89.1th percentile)

Published: January 10, 2025

Last Updated: April 9, 2025

🔗 References

https://noisy-caravel-a9a.notion.site/Tenda_AC9V1-0_V15-03-05-19_formSetSambaConf_doSystemCmd_CI-16f898c94eac80d5801bdaf777ac2b27 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-22949, you might also want to check these: