The CVE-2025-2989 vulnerability in Tenda FH1202 firmware version 1.2.0.14(408) allows remote attackers to bypass authentication via the `/goform/AdvSetWrl` endpoint in the web management interface. The flaw stems from improper access controls, enabling unauthorized manipulation of router settings without credentials. Attackers can send crafted HTTP requests to this endpoint, altering configurations or extracting sensitive data. The vulnerability is remotely exploitable with no user interaction required, earning it a CVSS 4.0 score of 6.9 (MEDIUM). Public exploit scripts further increase its risk.
DailyCVE Form
Platform: Tenda FH1202
Version: 1.2.0.14(408)
Vulnerability: Improper Access Control
Severity: Critical
Date: 04/07/2025
What Undercode Say:
Exploitation:
1. Craft a malicious POST request to `/goform/AdvSetWrl`:
POST /goform/AdvSetWrl HTTP/1.1 Host: [bash] Content-Type: application/x-www-form-urlencoded Content-Length: [bash] [bash]
2. Use `curl` for automated exploitation:
curl -X POST http://[bash]/goform/AdvSetWrl -d "param=exploit"
3. Metasploit module (if available):
use exploit/linux/http/tenda_fh1202_auth_bypass
Mitigation:
1. Apply vendor firmware patches immediately.
2. Restrict web interface access via firewall rules:
iptables -A INPUT -p tcp --dport 80 -s [bash] -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j DROP
3. Disable remote management if unused.
4. Monitor logs for suspicious `/goform/AdvSetWrl` requests:
grep "AdvSetWrl" /var/log/nginx/access.log
Detection:
1. Scan for vulnerable devices using `nmap`:
nmap -p80 --script http-vuln-cve2025-2989 [bash]
2. Check firmware version:
cat /etc/version | grep "1.2.0.14"
Analytics:
- Exploitability: High (public PoC available).
- Attack Vector: Remote, unauthenticated.
- Impact: Full router compromise, data leakage.
- Patch Status: Check Tenda’s official advisory.
References:
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-2989
Extra Source Hub:
Undercode
