CVE-2025-9090

MEDIUM

Tenda AC20 16.03.08.12 - Command Injection

Title source: llm

Description

A vulnerability was identified in Tenda AC20 16.03.08.12. Affected is the function websFormDefine of the file /goform/telnet of the component Telnet Service. The manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Exploits (2)

exploitdb WORKING POC

by Byte Reaper · cremotemultiple

https://www.exploit-db.com/exploits/52418

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by byteReaper77 · poc

https://github.com/byteReaper77/CVE-2025-9090

View Code ZIP pw:eip

References (6)

[Exploit, Third Party Advisory] https://github.com/ZZ2266/.github.io/blob/main/AC20/telnet/readme.md

[Exploit, Third Party Advisory] https://github.com/ZZ2266/.github.io/blob/main/AC20/telnet/readme.md#poc-exploit-steps

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.320358

[Third Party Advisory, VDB Entry] https://vuldb.com/?id.320358

[Third Party Advisory, VDB Entry] https://vuldb.com/?submit.632232

[Product] https://www.tenda.com.cn/

Scores

CVSS v3 6.3

EPSS 0.0305

EPSS Percentile 86.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Details

CWE

CWE-74 CWE-77

Status published

Products (1)

tenda/ac20_firmware 16.03.08.12

Published Aug 17, 2025

Tracked Since Feb 18, 2026