Command Injection Vulnerability in Tenda W20E by Tenda
CVE-2025-44867

Currently unrated

Key Information:

Vendor: Tenda
Status: W20E
Vendor: CVE Published:; 1 May 2025

What is CVE-2025-44867?

The Tenda W20E router has a security flaw stemming from a command injection vulnerability within the formSetNetCheckTools function. By manipulating the hostName parameter, attackers can fabricate requests that execute arbitrary commands on the device. This flaw can compromise the integrity of the router and lead to unauthorized control. Users should update to the latest firmware version to mitigate this risk.

References

https://github.com/Summermu/VulnForIoT/tree/main/Tenda_W2...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 1, 2025
Vulnerability Reserved
Apr 22, 2025