CVE-2025-10442HIGH 8.8EPSS p94.2%

CVE-2025-10442CVE-2025-10442

Description

A vulnerability was determined in Tenda AC9 and AC15 15.03.05.14. This affects the function formexeCommand of the file /goform/exeCommand. This manipulation of the argument cmdinput causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS8.32% probability of exploitation · percentile 94.2% · 2026-06-18T12:00:27Z
Published2025-09-15
Last modified2026-04-29

Underlying weaknesses· 2

CWE-77CWE-78

References

  1. https://github.com/2664521593/mycve/blob/main/Tenda/Tenda_AC9_CJ.md
  2. https://github.com/2664521593/mycve/blob/main/Tenda/Tenda_AC9_CJ.md#poc
  3. https://vuldb.com/?ctiid.323876
  4. https://vuldb.com/?id.323876
  5. https://vuldb.com/?submit.647838
  6. https://vuldb.com/?submit.647839
  7. https://www.tenda.com.cn/

2

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in a Command ('Command Injection')cwe-770%live
WeaknessImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')cwe-780%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-10443
CVE
CVE-2025-9812
CVE
CVE-2025-12622
CVE
CVE-2025-45042
CVE
CVE-2025-25675
CVE
CVE-2025-25632
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.