CVE-2025-57296

Published: Sep 19, 2025

Modified: Sep 19, 2025

PUBLISHED

Description

Tenda AC6 router firmware 15.03.05.19 contains a command injection vulnerability in the formSetIptv function, which processes requests to the /goform/SetIPTVCfg web interface. When handling the list and vlanId parameters, the sub_ADBC0 helper function concatenates these user-supplied values into nvram set system commands using doSystemCmd, without validating or sanitizing special characters (e.g., ;, ", #). An unauthenticated or authenticated attacker can exploit this by submitting a crafted POST request, leading to arbitrary system command execution on the affected device.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://tenda.com.cn/material/show/2681

https://github.com/ZZ2266/.github.io/tree/main/Tenda

https://github.com/ZZ2266/.github.io/blob/main/Tenda/readme.md

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-57296

Description

Affected Products

References