CVE-2025-15233

HighPublic PoC

Published: 30 December 2025

Published

30 December 2025

Modified

24 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0014 33.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A security flaw has been discovered in Tenda M3 1.0.0.13(4903). This issue affects the function formSetAdInfoDetails of the file /goform/setAdInfoDetail. The manipulation of the argument adName/smsPassword/smsAccount/weixinAccount/weixinName/smsSignature/adRedirectUrl/adCopyRight/smsContent/adItemUID results in heap-based buffer overflow. The attack may be performed from remote. The exploit…

has been released to the public and may be used for attacks.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses the heap buffer overflow by identifying, reporting, and correcting the flaw in the formSetAdInfoDetails function through patching.

SI-10 Information Input Validation good match

prevent

Requires validation of manipulated arguments like adName and smsPassword to prevent heap buffer overflows from invalid inputs.

SI-16 Memory Protection good match

prevent

Implements memory safeguards such as non-executable heap regions and address space randomization to mitigate exploitation of the heap buffer overflow for arbitrary code execution.

Security SummaryAI

CVE-2025-15233 is a heap-based buffer overflow vulnerability affecting the formSetAdInfoDetails function in the /goform/setAdInfoDetail file of Tenda M3 firmware version 1.0.0.13(4903). The flaw arises from manipulation of arguments such as adName, smsPassword, smsAccount, weixinAccount, weixinName, smsSignature, adRedirectUrl, adCopyRight, smsContent, and adItemUID, as classified under CWE-119 and CWE-122.

The vulnerability enables remote exploitation by attackers with low privileges (PR:L), requiring network access and low attack complexity but no user interaction. With a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), successful exploitation can result in high impacts to confidentiality, integrity, and availability, potentially leading to arbitrary code execution on the affected device.

VulDB advisories (ctiid.338629, id.338629, submit.725495) document the issue, while a GitHub repository at dwBruijn/CVEs/blob/main/Tenda/setAdInfoDetail.md provides a publicly released exploit. The Tenda vendor site at tenda.com.cn is referenced for further details, though no specific patches are detailed in available sources.

The exploit's public release heightens the risk of real-world attacks against unpatched Tenda M3 devices.

Details

CWE(s): CWE-119 CWE-122

Affected Products

tenda

m3 firmware

1.0.0.13\(4903\)

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Heap-based buffer overflow in public-facing web endpoint (/goform/setAdInfoDetail) on router firmware enables remote arbitrary code execution, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/dwBruijn/CVEs/blob/main/Tenda/setAdInfoDetail.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.338629
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.338629
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.725495
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com