Tenda N300 wi-fi routers and 4G03 Professional moveable LTE gadgets face extreme safety threats from a number of command injection vulnerabilities that permit attackers to execute arbitrary instructions with root privileges.
The affected gadgets at present lack vendor patches, leaving customers weak. The vulnerabilities stem from improper dealing with of person enter inside crucial service capabilities on these Tenda gadgets.
Command Injection Flaws in Tenda N300
Based on CERT/CC , Attackers can exploit these flaws by means of specifically crafted HTTP requests to achieve full management over affected routers.
CVE-2025-13207 impacts Tenda 4G03 Professional firmware variations as much as and together with v04.03.01.44.
An authenticated attacker can manipulate arguments handed to capabilities inside the /usr/sbin/httpd service.
CVE IDAffected ProductsVulnerability TypeAttack VectorImpactCVE-2025-13207Tenda 4G03 Professional (firmware ≤v04.03.01.44)Command InjectionNetwork (HTTP TCP port 80)Distant Code Execution as rootCVE-2024-24481Tenda N300 / 4G03 Professional (firmware ≤v04.03.01.14)Command InjectionNetwork (TCP port 7329)Distant Code Execution as root
By sending a crafted HTTP request to TCP port 80, the attacker can execute arbitrary instructions as the basis person.
CVE-2024-24481 impacts firmware variations as much as v04.03.01.14 and entails improper enter dealing with inside an accessible net interface operate.
An authenticated attacker can invoke this operate and ship a crafted community request to TCP port 7329, leading to command execution.
Carnegie Mellon College researchers observe that this concern is distinct from CVE-2023-2649. Profitable exploitation grants attackers complete management of the affected system.
As soon as compromised, attackers can modify router configurations, intercept community site visitors, deploy malware, or use the system as a central level for additional community assaults.
Provided that these are community infrastructure gadgets, the compromise may have an effect on all related gadgets and knowledge passing by means of the router.
Since Tenda has not launched patches to deal with these vulnerabilities, the CERT/CC recommends a number of mitigation steps.
Customers in security-sensitive environments ought to take into account changing affected gadgets with various routers from different distributors.
If instant substitute isn’t potential, reduce the system’s publicity by limiting community entry and proscribing utilization the place possible.
Customers ought to recurrently monitor Tenda’s official web site and safety advisories for potential firmware updates or patches.
The vulnerabilities had been publicly disclosed on November 20, 2025, and vendor remediation stays unavailable right now.
Observe us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
