Description

Tenda AC6 router firmware 15.03.05.19 contains a command injection vulnerability in the formSetIptv function, which processes requests to the /goform/SetIPTVCfg web interface. When handling the list and vlanId parameters, the sub_ADBC0 helper function concatenates these user-supplied values into nvram set system commands using doSystemCmd, without validating or sanitizing special characters (e.g., ;, ", #). An unauthenticated or authenticated attacker can exploit this by submitting a crafted POST request, leading to arbitrary system command execution on the affected device.

INFO

Published Date :

2025-09-19T00:00:00.000Z

Last Modified :

2025-09-19T17:58:17.915Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-57296 vulnerability.

Vendors Products
Tenda
  • Ac6
  • Ac6 Firmware
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-57296.

URL Resource
https://github.com/ZZ2266/.github.io/blob/main/Tenda/readme.md cve-icon cve-icon
https://github.com/ZZ2266/.github.io/tree/main/Tenda cve-icon cve-icon
https://tenda.com.cn/material/show/2681 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact