CVE-2025-14286 in AC9
Summary
by MITRE • 12/09/2025
A vulnerability was determined in Tenda AC9 15.03.05.14_multi. Affected by this vulnerability is an unknown functionality of the file /cgi-bin/DownloadCfg.jpg of the component Configuration File Handler. This manipulation causes information disclosure. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 12/12/2025
The vulnerability identified as CVE-2025-14286 affects the Tenda AC9 router firmware version 15.03.05.14_multi and represents a critical information disclosure flaw within the device's configuration file handling mechanism. This vulnerability specifically targets the /cgi-bin/DownloadCfg.jpg endpoint which serves as a configuration file handler component, exposing sensitive data through improper access controls and lack of authentication verification. The affected functionality resides within the web interface's backend processing logic where configuration files are managed and downloaded, creating an attack surface that allows unauthorized access to system configuration data.
The technical exploitation of this vulnerability occurs through remote manipulation of the DownloadCfg.jpg handler, which fails to properly validate user credentials or implement access restrictions before serving configuration files. This flaw falls under CWE-284 Access Control Issues, specifically manifesting as improper access control in web application components that handle sensitive system data. The vulnerability enables attackers to retrieve configuration files containing potentially sensitive information such as network settings, user credentials, and system parameters without proper authentication, making it particularly dangerous for network security infrastructure.
The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with valuable insights into the router's configuration that could facilitate further attacks. The publicly disclosed exploit means that threat actors can immediately leverage this vulnerability without requiring advanced technical skills or custom development. This remote attack vector eliminates the need for physical access or complex reconnaissance, allowing adversaries to quickly compromise affected devices and potentially use the disclosed information for lateral movement within networks, credential harvesting, or as a foundation for more sophisticated attacks. The vulnerability directly maps to ATT&CK technique T1566.002 Phishing, as attackers could use the disclosed configuration information to craft more convincing social engineering campaigns.
Security mitigation strategies for CVE-2025-14286 should include immediate firmware updates from Tenda to address the access control flaw in the configuration file handler component. Network administrators should implement additional protective measures such as firewall rules that restrict access to the /cgi-bin/DownloadCfg.jpg endpoint and monitor for unauthorized access attempts. The vulnerability demonstrates the importance of proper input validation and access control implementation in web applications, particularly those handling sensitive system configuration data. Organizations should conduct comprehensive vulnerability assessments to identify similar flaws in other network devices and ensure that all firmware components properly validate user credentials before providing access to configuration files, thereby preventing unauthorized disclosure of system information that could compromise network security posture.