Command Injection Vulnerability in Tenda AC6 Router Firmware
CVE-2025-57296

6.5MEDIUM

Key Information:

Vendor: Tenda
Status: AC6 Router
Vendor: CVE Published:; 19 September 2025

What is CVE-2025-57296?

The Tenda AC6 Router firmware version 15.03.05.19 is prone to a command injection vulnerability within the formSetIptv function. This issue arises during the processing of user inputs like 'list' and 'vlanId' in the '/goform/SetIPTVCfg' web interface. The vulnerable sub_ADBC0 helper function fails to validate or sanitize the input, allowing an attacker—regardless of authenticated status—to exploit this flaw. By sending a specially crafted POST request, attackers could execute arbitrary system commands, potentially compromising the integrity of the device.

References

https://tenda.com.cn/material/show/2681

https://github.com/ZZ2266/.github.io/tree/main/Tenda

https://github.com/ZZ2266/.github.io/blob/main/Tenda/read...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 19, 2025
Vulnerability Reserved
Aug 17, 2025

JSON