Command Injection Vulnerability in Tenda W20E by Tenda
CVE-2025-44865

Currently unrated

Key Information:

Vendor: Tenda
Status: Tenda W20E
Vendor: CVE Published:; 1 May 2025

What is CVE-2025-44865?

The Tenda W20E firmware version V15.11.0.6 is susceptible to a command injection vulnerability within the formSetDebugCfg function, which is exploited through the vulnerable enable parameter. This weakness could permit attackers to execute arbitrary commands on the device by sending specially crafted requests. This poses a significant risk to users, enabling unauthorized access and control over IoT deployments.

References

https://github.com/Summermu/VulnForIoT/tree/main/Tenda_W2...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 1, 2025
Vulnerability Reserved
Apr 22, 2025