Command Injection Vulnerability in Tenda W20E Router
CVE-2025-44864

Currently unrated

Key Information:

Vendor: Tenda
Status: W20E Router
Vendor: CVE Published:; 1 May 2025

What is CVE-2025-44864?

The Tenda W20E router has a critical command injection vulnerability in the formSetDebugCfg function. By exploiting the module parameter, attackers can craft specialized requests to execute arbitrary commands on the device, potentially compromising its security and affecting the network it operates within. This vulnerability underscores the importance of securing Internet of Things (IoT) devices against unauthorized access and manipulation.

References

https://github.com/Summermu/VulnForIoT/tree/main/Tenda_W2...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 1, 2025
Vulnerability Reserved
Apr 22, 2025