CVE-2025-44872 – This CVE describes a command injection vulnerab... (How to Fix)

Q: What is the severity of CVE-2025-44872?

CVE-2025-44872 has a CVSS score of 9.8 (CRITICAL). This CVE describes a command injection vulnerability in Tenda AC9 routers that allows attackers to execute arbitrary commands via the deviceName parameter in the formsetUsbUnload function. Attackers can exploit this to gain full control of affected routers. Users running Tenda AC9 routers with vulnerable firmware are affected.

📋 TL;DR

This CVE describes a command injection vulnerability in Tenda AC9 routers that allows attackers to execute arbitrary commands via the deviceName parameter in the formsetUsbUnload function. Attackers can exploit this to gain full control of affected routers. Users running Tenda AC9 routers with vulnerable firmware are affected.

💻 Affected Systems

Products:

Tenda AC9

Versions: V15.03.06.42_multi

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the specific firmware version mentioned; other versions may also be vulnerable but unconfirmed.

📦 What is this software?

Ac9 Firmware by Tenda

View all CVEs affecting Ac9 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing persistent backdoor installation, network traffic interception, lateral movement to connected devices, and botnet recruitment.

🟠

Likely Case

Router takeover enabling DNS hijacking, credential theft from network traffic, and deployment of malware to connected devices.

🟢

If Mitigated

Limited impact with proper network segmentation and firewall rules preventing external access to router management interface.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, and this vulnerability allows unauthenticated remote code execution.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they gain network access, but external exploitation is more likely.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept exists in GitHub repositories, making exploitation straightforward for attackers with basic skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates. 2. Download latest firmware for AC9. 3. Access router admin interface. 4. Navigate to System Tools > Firmware Upgrade. 5. Upload and install new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router management interface

Network Segmentation

all

Isolate router management interface to trusted network segment

🧯 If You Can't Patch

Replace affected router with different model/brand
Implement strict firewall rules blocking all external access to router management ports (typically 80, 443, 8080)

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under System Status or similar section

Check Version:

Login to router web interface and navigate to System Status page

Verify Fix Applied:

Verify firmware version is updated to a version later than V15.03.06.42_multi

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to formsetUsbUnload endpoint
Suspicious command execution in system logs
Unexpected process creation

Network Indicators:

Unusual traffic to router management ports from external IPs
Suspicious payloads in HTTP requests to router

SIEM Query:

source="router_logs" AND (uri="/goform/setUsbUnload" OR process="sh" OR process="bash") AND command="*"

📊 Metadata

CVE ID: CVE-2025-44872

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

EPSS Score: 3.18% exploit probability (86.7th percentile)

Published: May 2, 2025

Last Updated: May 27, 2025

🔗 References

https://github.com/Summermu/VulnForIoT/tree/main/Tenda_AC/AC9_formsetUsbUnload Exploit,Third Party Advisory
https://github.com/Summermu/VulnForIoT/tree/main/Tenda_AC/AC9_formsetUsbUnload Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-44872, you might also want to check these: