Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-9090 PoC — Tenda AC20 Telnet Service telnet websFormDefine command injection

Source
https://github.com/byteReaper77/CVE-2025-9090
Associated Vulnerability
Title:Tenda AC20 Telnet Service telnet websFormDefine command injection (CVE-2025-9090)
Description:A vulnerability was identified in Tenda AC20 16.03.08.12. Affected is the function websFormDefine of the file /goform/telnet of the component Telnet Service. The manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Description
Command Injection in Tenda AC20 16.03.08.12 (/goform/telnet)
Readme
# CVE-2025-9090

**Author: Byte Reaper**
## Description
This exploit targets **CVE-2025-9090**, a command injection vulnerability in the **Tenda AC20 (v16.03.08.12)** router.  
The flaw is in the endpoint `/goform/telnet`, which can be triggered remotely.  
When accessed, it starts the Telnet service on the device, opening ports **23/2323** for remote interaction.  

The program sends a request to the vulnerable endpoint, looks for the response string **"load telnetd success"**, and then tries to connect to the Telnet service to confirm successful exploitation.

## Build
Compile using `gcc`:

```
    gcc exploit.c argparse.c -o CVE-2025-9090 -lcurl
```
## Usage : 
```
    -h, --help            show this help message and exit
    -i, --ip              Enter Target IP
    -c, --cookies         Enter File cookies
    -v, --verbose         Verbose Mode
    -f, --loop=           Number request 

```
## RUN : 
```
    ./CVE-2025-9090 -i <IP> 
    - verbose mode :
    ./CVE-2025-9090 -i <IP> -v
    - number request : 
    ./CVE-2025-9090 -i <IP> -v -f 5 (5 POST endpoint)
    - cookies file :
    ./CVE-2025-9090 -i <IP> -v -f 5 -c [file name] 
```

## LICENSE:
MIT
File Snapshot

 [4.0K]  /data/pocs/ad5e088e88f42c487b8c46bd20f086890a0abe49
├── [ 19K]  exploit.c
├── [1.0K]  LICENSE
└── [1.2K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →