CVE-2025-11121

A security vulnerability has been detected in Tenda AC18 15.03.05.19. The impacted element is an unknown function of the file /goform/AdvSetLanip. The manipulation of the argument lanIp leads to command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used.
Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
VulDBCNA
6.3 MEDIUM
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 76%
VendorProductVersion
tendaac18_firmware
15.03.05.19
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/noahze01/IoT-vulnerable/blob/main/Tenda/AC18/AdvSetLanip.md
https://vuldb.com/?ctiid.326202
https://vuldb.com/?id.326202
https://vuldb.com/?submit.664191
https://www.tenda.com.cn/
https://github.com/noahze01/IoT-vulnerable/blob/main/Tenda/AC18/AdvSetLanip.md