CERT/CC Warns of Unpatched Root-Level Command Injection Flaws in Tenda 4G03 Pro and N300 Routers (CVE-2025-13207, CVE-2024-24481)

The CERT Coordination Center (CERT/CC) has issued a warning about multiple unpatched command injection vulnerabilities affecting Tenda’s 4G03 Pro and N300 series routers. The flaws, which allow attackers to execute commands as root, have no vendor-supplied fixes, leaving users exposed to complete device compromise.

According to the advisory, “A command injection vulnerability exists across multiple firmware versions that allows an attacker to execute arbitrary commands as root on the affected device.”

CERT/CC attributes the discovery to researcher Ax, who identified multiple exploitable components inside the router’s internal services.

The flaws stem from insecure processing of attacker-controlled data: “Multiple components within this model… are impacted by command injection flaws that stem from improper handling of attacker-controlled input passed to internal service functions.”

The first vulnerability, tracked as CVE-2025-13207, affects firmware up to and including v04.03.01.44. CERT/CC explains, “Manipulation of arguments passed to a function within the service /usr/sbin/httpd can be exploited. A crafted, authenticated HTTP request to TCP port 80 can trigger arbitrary command execution.”

This gives any authenticated attacker the ability to execute root-level commands directly through the device’s main web interface.

A second flaw—distinct from earlier 2023 issues (CVE-2023-2649)—exists in firmware up to and including v04.03.01.14. According to the advisory, “Improper input handling within an accessible function leads to a similar command injection condition… A crafted network request to TCP port 7329 can result in command execution.”

Both vulnerabilities require authentication, but many Tenda devices ship with weak or unchanged default credentials, increasing real-world risk.

CERT/CC emphasizes that successful exploitation grants total control: “Successful exploitation allows an attacker to execute arbitrary commands as root on the underlying operating system, allowing attacker to take total control of the device.”

Given that the CERT/CC is “currently unaware of a vendor-supplied patch or mitigation for these vulnerabilities“, users are urged to take immediate action to protect their networks.

The official advisory provides three key recommendations:

• Use an Alternative Device: Because no remediation is currently available, users who rely on this device in security-sensitive scenarios “may consider other devices for such access.“
• Reduce Exposure: If replacing the device is not immediately feasible, users should “limit usage to reduce risk of abuse.” This could involve restricting network access or only using the device when absolutely necessary.
• Monitor for Vendor Updates: Users should “periodically check for firmware updates or advisories from Tenda in case a patch becomes available in the future.“

Related Posts:

• CVE-2025-22398: Dell Unity Hit by 9.8 CVSS Root-Level Command Injection Flaw
• Tenda Router Flaw (CVSS 9.8): Unauthenticated RCE Flaw (PoC, No Patch)
• CVE-2025-1851: Tenda AC7 Routers at Risk of Root Compromise, PoC Released
• CVE-2023-4498: Tenda N300 Router Authentication Bypass Vulnerability
• Critical Flaws Found in Partner Software: Default Admin Passwords & XSS Allow RCE on Government Systems