Login Sign Up

CVE-2025-5900

4.3 MEDIUM
CSRF

📋 TL;DR

This CSRF vulnerability in Tenda AC9 routers allows attackers to trick authenticated users into performing unauthorized actions like rebooting or restoring factory settings. It affects users of Tenda AC9 routers with firmware version 15.03.02.13. The attack can be launched remotely through malicious web pages.

💻 Affected Systems

Products:
  • Tenda AC9
Versions: 15.03.02.13
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Affects web management interface. Requires user to be authenticated to router admin panel.

📦 What is this software?

Ac9 Firmware by Tenda

View all CVEs affecting Ac9 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Router becomes unavailable due to repeated reboots or loses all configuration after factory reset, causing network downtime and requiring physical access to reconfigure.

🟠

Likely Case

Temporary network disruption from router reboot or loss of custom settings after factory reset, requiring reconfiguration.

🟢

If Mitigated

No impact if CSRF protections are enabled or if router is not internet-facing.

🌐 Internet-Facing: MEDIUM - Attack requires user interaction but can be delivered via malicious websites.
🏢 Internal Only: LOW - Requires attacker to be on local network and user to visit malicious internal page.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires user to visit malicious webpage while logged into router admin. Proof-of-concept available in references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

Check Tenda website for firmware updates. If available, download and flash via web interface.

🔧 Temporary Workarounds

Enable CSRF Protection

all

Add CSRF tokens if router firmware supports it (unlikely in affected version)

Logout After Configuration

all

Always log out of router admin interface after making changes

🧯 If You Can't Patch

  • Change router admin password to complex value
  • Disable remote management/WAN access to admin interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via admin panel > System Status

Check Version:

Login to router web interface and navigate to System Status page

Verify Fix Applied:

Verify firmware version is newer than 15.03.02.13

📡 Detection & Monitoring

Log Indicators:

  • Multiple reboot or factory reset events in short time
  • Admin actions from unexpected IP addresses

Network Indicators:

  • HTTP POST requests to /goform/SysToolReboot or /goform/SysToolRestoreSet without referrer validation

SIEM Query:

source="router" AND (event="reboot" OR event="factory_reset") AND count > 2 within 5m

📊 Metadata

CVE ID: CVE-2025-5900
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CWE: CWE-352
EPSS Score: 0.04% exploit probability (10.6th percentile)
Published: June 9, 2025
Last Updated: June 16, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-5900, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)