CVE-2025-24322 – An unsafe default authentication vulnerability ... (How to Fix)

Q: What is the severity of CVE-2025-24322?

CVE-2025-24322 has a CVSS score of 8.1 (HIGH). An unsafe default authentication vulnerability in Tenda AC6 routers allows attackers to execute arbitrary code via specially crafted network requests during initial setup. This affects Tenda AC6 V5.0 routers running vulnerable firmware versions. Attackers can trigger this by browsing to the device.

📋 TL;DR

An unsafe default authentication vulnerability in Tenda AC6 routers allows attackers to execute arbitrary code via specially crafted network requests during initial setup. This affects Tenda AC6 V5.0 routers running vulnerable firmware versions. Attackers can trigger this by browsing to the device.

💻 Affected Systems

Products:

Tenda AC6 V5.0

Versions: V02.03.01.110 and possibly earlier

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in initial setup authentication functionality; devices that completed setup may still be vulnerable if not patched.

📦 What is this software?

Ac6 Firmware by Tenda

View all CVEs affecting Ac6 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, network traffic interception, and lateral movement to other devices on the network.

🟠

Likely Case

Router takeover allowing DNS hijacking, credential theft, and use as pivot point for further attacks.

🟢

If Mitigated

Limited impact if device is behind firewall and initial setup was completed securely.

🌐 Internet-Facing: HIGH - Directly accessible devices can be exploited remotely without authentication.

🏢 Internal Only: MEDIUM - Requires network access but exploitation is straightforward once inside.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires browsing to device during initial setup phase; detailed technical analysis available in Talos reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Tenda website for latest firmware

Vendor Advisory: https://www.tenda.com.cn/en/security

Restart Required: Yes

Instructions:

1. Log into router admin interface. 2. Navigate to System Tools > Firmware Upgrade. 3. Download latest firmware from Tenda website. 4. Upload and install firmware. 5. Reboot router.

🔧 Temporary Workarounds

Disable WAN Management

all

Prevent external access to router management interface

Navigate to Advanced > System Tools > Remote Management and disable

Change Default Credentials

all

Use strong unique credentials after initial setup

Navigate to System Tools > Password and set strong password

🧯 If You Can't Patch

Isolate router on separate VLAN with strict firewall rules
Monitor for suspicious traffic to/from router management interface

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin interface under System Status

Check Version:

curl -s http://router-ip/goform/getStatus | grep version

Verify Fix Applied:

Confirm firmware version is newer than V02.03.01.110

📡 Detection & Monitoring

Log Indicators:

Unusual authentication attempts during setup
Multiple failed login attempts from single source

Network Indicators:

HTTP requests to /goform/setAuth during initial setup
Unusual outbound connections from router

SIEM Query:

source="router.log" AND ("setup" OR "auth" OR "goform") AND status=200

📊 Metadata

CVE ID: CVE-2025-24322

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-304

EPSS Score: 0.07% exploit probability (20.3th percentile)

Published: August 20, 2025

Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-24322, you might also want to check these: