CISA issues advisory on Tenda router command injection vulnerabilities

Multiple firmware versions of the Tenda N300 series and Tenda 4G03 Pro routers contain command injection vulnerabilities that allow attackers to execute arbitrary commands with root privileges on affected devices.

The vulnerabilities include CVE-2025-13207 affecting firmware versions up to and including v04.03.01.44 in the /usr/sbin/httpd service, which can be exploited via a crafted, authenticated Hypertext Transfer Protocol (HTTP) request to Transmission Control Protocol (TCP) port 80. Additionally, CVE-2024-24481 impacts firmware versions up to and including v04.03.01.14, involving improper input validation in a web interface function accessible through TCP port 7329; this issue is separate from CVE-2023-2649. Both vulnerabilities were discovered through firmware reverse engineering. Affected devices include the Tenda 4G03 Pro, a portable 4G Long Term Evolution (LTE) router designed for flexible internet access using a Subscriber Identity Module (SIM) card.

Exploitation of these vulnerabilities permits an attacker to run arbitrary commands as root on the underlying Operating System (OS), effectively granting full control over the device.

The Computer Emergency Readiness Team (CERT) Coordination Center has not identified any vendor-supplied patches or mitigations addressing these vulnerabilities at this time.

Users dependent on these devices for security-sensitive operations are advised to consider alternative hardware options. If replacement is not immediately feasible, limiting device exposure may reduce potential misuse. Users should monitor for firmware updates or advisories from Tenda for any future patches.