CVE-2025-15136

HighPublic PoC

Published: 28 December 2025

Published

28 December 2025

Modified

07 January 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0017 38.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A security vulnerability has been detected in TRENDnet TEW-800MB 1.0.1.0. Affected is the function do_setWizard_asp of the file /goform/wizardset of the component Management Interface. The manipulation of the argument WizardConfigured leads to command injection. The attack may be initiated remotely.…

The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents command injection by validating and sanitizing the WizardConfigured argument in the do_setWizard_asp function.

SI-2 Flaw Remediation good match

preventrecover

Requires timely identification, reporting, and correction of the specific command injection flaw in the management interface.

AC-6 Least Privilege partial match

prevent

Limits the impact of injected commands by enforcing least privilege on low-privilege (PR:L) accounts accessing the vulnerable wizardset endpoint.

Security SummaryAI

CVE-2025-15136 is a command injection vulnerability affecting the TRENDnet TEW-800MB router in version 1.0.1.0. The flaw resides in the do_setWizard_asp function within the /goform/wizardset file of the Management Interface, where manipulation of the WizardConfigured argument triggers the injection. Published on 2025-12-28, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWEs-74 and CWE-77.

Attackers with low privileges (PR:L) can exploit this remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables arbitrary command execution, resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H).

Advisories indicate the vendor was contacted early regarding the disclosure but provided no response. No patches or mitigations are detailed from the vendor, while the exploit has been publicly disclosed and may be used, with references including VulDB entries and a Notion site detailing the issue.

Details

CWE(s): CWE-74 CWE-77

Affected Products

trendnet

tew-800mb firmware

1.0.1.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

Command injection in web management interface enables exploitation of public-facing application (T1190), privilege escalation from low privileges to RCE (T1068), and command execution on network device (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://pentagonal-time-3a7.notion.site/TRENDnet-TEW-800MB-2c7e5dd4c5a58067bc81e530bf3191c0
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.338514
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.338514
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.714042
Third Party Advisory, VDB Entry · cna@vuldb.com