With no patches currently available from the manufacturer, security experts are urging users to consider alternative solutions to protect their networks from potential compromise.
The Tenda 4G03 Pro is a portable 4G LTE router designed for flexible internet access worldwide.
Users can insert a SIM card to establish ad hoc internet connectivity, making it popular for mobile and temporary networking solutions across different mobile operators.
However, security researchers have identified serious flaws stemming from improper handling of attacker-controlled input within the router’s internal service functions.
Two distinct command injection vulnerabilities, tracked as CVE-2025-13207 and CVE-2024-24481, affect multiple firmware versions of these devices.
Both vulnerabilities carry a CVSS score of 8.8, indicating high severity and significant risk to affected organizations and individuals.
| CVE ID | Affected Products | Vulnerability Type | CVSS Score |
|---|---|---|---|
| CVE-2025-13207 | Tenda N300 4G03 Pro (Firmware v04.03.01.44 and earlier) | Command Injection | 8.8 (High) |
| CVE-2024-24481 | Tenda N300 4G03 Pro (Firmware v04.03.01.14 and earlier) | Command Injection | 8.8 (High) |
The first vulnerability, CVE-2025-13207, impacts firmware versions up to and including v04.03.01.44. Attackers can exploit this flaw by manipulating arguments passed to a function within the /usr/sbin/httpd service.
A specially crafted authenticated HTTP request sent to TCP port 80 can trigger arbitrary command execution on the device.
The second vulnerability, CVE-2024-24481, affects firmware versions up to and including v04.03.01.14. This flaw involves improper input handling within an accessible function through the web interface.
After authentication, attackers can invoke the vulnerable function and send a crafted network request to TCP port 7329, resulting in command execution with root privileges.
Security researchers discovered these vulnerabilities through reverse engineering of the router’s firmware, and importantly, this issue is distinct from CVE-2023-2649.
Successful exploitation grants attackers complete control over the affected device, allowing them to execute any commands as the root user on the underlying operating system.
This level of access enables threat actors to intercept network traffic, modify router configurations, establish persistent backdoors, or use compromised devices as launching points for further attacks on connected networks.
The CERT Coordination Center has confirmed that no vendor-supplied patches or mitigations currently exist to address these critical vulnerabilities in the Tenda N300 series and 4G03 Pro devices.
Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates
The post Tenda N300 Vulnerabilities Allow Attackers to Execute Arbitrary Commands as Root appeared first on Cyber Security News.
A jump starter is an essential part of car's emergency kit, but you don't need…
FORT WAYNE, Ind. (WOWO) — Rain is possible again in Indiana this weekend as temperatures…
MIAIMI COUNTY, Ind. (WOWO) — Federal government payments to keep immigration detainees at an Indiana…
U.S. Secretary of Defense Pete Hegseth listens to questions during a news conference at the…
Guess they weren’t kidding with that “Oscars host for life” sketch at last year’s show.…
Christopher Nolan has confirmed a casting twist for his upcoming “mythic action epic,” The Odyssey.…
This website uses cookies.