Tenda N300 wireless routers and 4G03 Pro portable LTE devices are currently facing severe security threats due to multiple command injection vulnerabilities. These flaws allow attackers to execute arbitrary commands with root privileges on the affected devices.
The critical vulnerabilities stem from improper handling of user input within essential service functions on these Tenda devices, and they currently lack vendor patches, leaving users highly vulnerable.
Unauthenticated Root Command Execution
According to CERT/CC, attackers can exploit these issues through specially crafted HTTP requests to gain complete control over the affected routers.
- CVE-2025-13207: This flaw impacts Tenda 4G03 Pro firmware versions up to and including v04.03.01.44. An authenticated attacker can manipulate arguments passed to functions within the /usr/sbin/httpd service. By sending a crafted HTTP request to TCP port 80, the attacker can execute arbitrary commands as the root user.
- CVE-2024-24481: This separate issue affects firmware versions up to v04.03.01.14 and involves improper input handling within an accessible web interface function. An authenticated attacker can invoke this function and send a crafted network request to TCP port 7329, which results in command execution.
Successful exploitation of these vulnerabilities grants attackers total control of the affected devices. Once compromised, attackers can modify router configurations, intercept network traffic, deploy malware, or use the device as a central point for further attacks on the connected network. Given that these are network infrastructure devices, the compromise affects all connected devices and data passing through the router.
Mitigation Steps
Since Tenda has not yet released patches to address these vulnerabilities, CERT/CC strongly recommends several mitigation steps:
- Users in security sensitive environments should consider replacing affected devices with alternative routers from other vendors.
- If immediate replacement is not possible, users should minimize the device’s exposure by limiting network access and restricting usage where feasible.
- Users must regularly monitor Tenda’s official website and security advisories for potential firmware updates.
The vulnerabilities were publicly disclosed on November 20, 2025, and vendor remediation remains unavailable at this time.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
