CVE-2025-8980

MEDIUM

Tenda G1 16.01.7.8(3660) - Insufficient Verification of Data Authenticity in Firmware Update Handler

Title source: llm

Description

A vulnerability has been found in Tenda G1 16.01.7.8(3660). Affected by this issue is the function check_upload_file of the component Firmware Update Handler. The manipulation leads to insufficient verification of data authenticity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.

References (7)

Core 7

Core References

Third Party Advisory, VDB Entry vdb-entry technical-description

https://vuldb.com/?id.319976

Permissions Required signature permissions-required

https://vuldb.com/?ctiid.319976

Third Party Advisory, VDB Entry third-party-advisory

https://vuldb.com/?submit.628605

Third Party Advisory, VDB Entry third-party-advisory

https://vuldb.com/?submit.628606

Third Party Advisory patch

https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Tenda/G1_Inte.md

View Writeup ZIP pw:eip

Third Party Advisory exploit patch

https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Tenda/G1_Auth.md

View Writeup ZIP pw:eip

Product product

https://www.tenda.com.cn/

Scores

CVSS v3 6.6

EPSS 0.0031

EPSS Percentile 22.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-345

Status published

Products (1)

tenda/g1_firmware 16.01.7.8\(3660\)

Published Aug 14, 2025

Tracked Since Feb 18, 2026