Login Sign Up

CVE-2025-57220

5.3 MEDIUM

📋 TL;DR

An input validation flaw in the 'ate' service of Tenda AC10 routers allows unauthenticated attackers to send crafted UDP packets to escalate privileges to root. This affects Tenda AC10 v4.0 devices running firmware version 16.03.10.09_multi_TDE01. Attackers can gain complete control of affected routers.

💻 Affected Systems

Products:
  • Tenda AC10 v4.0
Versions: firmware v16.03.10.09_multi_TDE01
Operating Systems: Embedded Linux on Tenda routers
Default Config Vulnerable: ⚠️ Yes
Notes: The 'ate' service runs by default on affected firmware versions.

📦 What is this software?

Ac10 Firmware by Tenda

View all CVEs affecting Ac10 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of router with root shell access, allowing traffic interception, DNS manipulation, network pivoting, and persistent backdoor installation.

🟠

Likely Case

Router takeover leading to credential theft, man-in-the-middle attacks, and botnet recruitment.

🟢

If Mitigated

Limited impact if router is behind firewall with UDP port blocking and network segmentation.

🌐 Internet-Facing: HIGH - The 'ate' service listens on UDP ports accessible from WAN interface by default.
🏢 Internal Only: HIGH - Attackers on local network can exploit this without authentication.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit requires sending crafted UDP packets to the 'ate' service port. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: Yes

Instructions:

1. Check Tenda support for firmware updates. 2. If update available, download from official Tenda website. 3. Log into router admin interface. 4. Navigate to System Tools > Firmware Upgrade. 5. Upload new firmware file. 6. Wait for router to reboot.

🔧 Temporary Workarounds

Block UDP access to ate service

linux

Use firewall rules to block UDP traffic to the ate service port (typically 29808 or similar)

iptables -A INPUT -p udp --dport 29808 -j DROP

Disable ate service

linux

Stop and disable the vulnerable ate service if not needed

killall ate
chmod -x /usr/bin/ate

🧯 If You Can't Patch

  • Segment affected routers to isolated network segments
  • Implement strict firewall rules blocking all unnecessary UDP ports from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin interface or via SSH: cat /etc/version | grep 16.03.10.09

Check Version:

cat /etc/version

Verify Fix Applied:

Verify firmware version is updated beyond v16.03.10.09_multi_TDE01 and ate service is not running on UDP ports

📡 Detection & Monitoring

Log Indicators:

  • Unusual UDP connections to high ports
  • ate service crash logs
  • Privilege escalation attempts in system logs

Network Indicators:

  • UDP packets to port 29808 with unusual payloads
  • Multiple connection attempts to ate service

SIEM Query:

source="router.logs" AND (udp.dport=29808 OR process="ate")

📊 Metadata

CVE ID: CVE-2025-57220
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-20
EPSS Score: 0.06% exploit probability (17.4th percentile)
Published: August 28, 2025
Last Updated: September 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-57220, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)