CVE-2025-8980

MEDIUM

Tenda G1 Firmware - Data Authenticity Bypass

Title source: rule

Description

A vulnerability has been found in Tenda G1 16.01.7.8(3660). Affected by this issue is the function check_upload_file of the component Firmware Update Handler. The manipulation leads to insufficient verification of data authenticity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.

References (7)

[Third Party Advisory, VDB Entry] https://vuldb.com/?id.319976

[Permissions Required] https://vuldb.com/?ctiid.319976

[Third Party Advisory, VDB Entry] https://vuldb.com/?submit.628605

[Third Party Advisory, VDB Entry] https://vuldb.com/?submit.628606

[Third Party Advisory] https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Tenda/G1_Inte.md

View Writeup ZIP pw:eip

[Third Party Advisory] https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Tenda/G1_Auth.md

[Product] https://www.tenda.com.cn/

Scores

CVSS v3 6.6

EPSS 0.0012

EPSS Percentile 30.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-345

Status published

Products (1)

tenda/g1_firmware 16.01.7.8\(3660\)

Published Aug 14, 2025

Tracked Since Feb 18, 2026