CVE-2025-15137

HighPublic PoC

Published: 28 December 2025

Published

28 December 2025

Modified

07 January 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0023 46.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was detected in TRENDnet TEW-800MB 1.0.1.0. Affected by this vulnerability is the function sub_F934 of the file NTPSyncWithHost.cgi. The manipulation results in command injection. The attack may be launched remotely. The exploit is now public and may be…

used. The vendor was contacted early about this disclosure but did not respond in any way.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents command injection by requiring validation of inputs to the vulnerable sub_F934 function in NTPSyncWithHost.cgi.

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the known command injection flaw through firmware patching, updates, or device replacement.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Vulnerability scanning and monitoring identifies the publicly disclosed command injection vulnerability in the NTP CGI script.

Security SummaryAI

CVE-2025-15137 is a command injection vulnerability (CWE-74, CWE-77) in the TRENDnet TEW-800MB firmware version 1.0.1.0. The issue resides in the sub_F934 function within the NTPSyncWithHost.cgi file, where improper input handling allows manipulation leading to arbitrary command execution.

Attackers with low privileges (PR:L) can exploit this remotely over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as scored 8.8 by CVSS 3.1. Successful exploitation enables full system compromise on affected devices.

VulDB advisories note that the vendor was contacted early about the disclosure but provided no response or patches. The exploit is public and available for use, with details in references including https://pentagonal-time-3a7.notion.site/TRENDnet-TEW-800MB-NTP-2c7e5dd4c5a580f999adcaff2c31978b and https://vuldb.com/?ctiid.338515.

No real-world exploitation in the wild has been reported, but the public exploit availability heightens risk for unpatched TRENDnet TEW-800MB devices.

Details

CWE(s): CWE-74 CWE-77

Affected Products

trendnet

tew-800mb firmware

1.0.1.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

Command injection in public-facing CGI script enables exploitation of public-facing application (T1190) and arbitrary command execution on network device CLI (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://pentagonal-time-3a7.notion.site/TRENDnet-TEW-800MB-NTP-2c7e5dd4c5a580f999adcaff2c31978b
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.338515
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.338515
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.714241
Third Party Advisory, VDB Entry · cna@vuldb.com