CVE-2025-15253

HighPublic PoC

Published: 30 December 2025

Published

30 December 2025

Modified

02 January 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0014 33.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability has been found in Tenda M3 1.0.0.13(4903). The impacted element is an unknown function of the file /goform/exeCommand. Such manipulation of the argument cmdinput leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has…

been disclosed to the public and may be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely remediation of identified flaws, directly addressing this stack-based buffer overflow by applying firmware patches from Tenda.

SI-10 Information Input Validation good match

prevent

SI-10 enforces validation of inputs like the cmdinput argument, preventing buffer overflows by checking length and format before processing.

SI-16 Memory Protection good match

prevent

SI-16 provides memory protections such as stack guards and non-executable memory, blocking arbitrary code execution from the buffer overflow exploit.

Security SummaryAI

CVE-2025-15253 is a stack-based buffer overflow vulnerability affecting the Tenda M3 router on firmware version 1.0.0.13(4903). The flaw exists in an unknown function of the /goform/exeCommand file, where manipulation of the cmdinput argument triggers the overflow. Published on 2025-12-30, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-119 and CWE-121.

The vulnerability enables remote exploitation by low-privileged users (PR:L) over the network, requiring low complexity and no user interaction. Attackers can achieve high impacts on confidentiality, integrity, and availability, potentially leading to arbitrary code execution via the buffer overflow.

Advisories on VulDB (ctiid.338643, id.338643, submit.725498) document the issue, with an exploit publicly disclosed on GitHub at dwBruijn/CVEs/blob/main/Tenda/execCommand.md, which may be usable. The Tenda vendor site at tenda.com.cn should be consulted for any patches or mitigation guidance.

Details

CWE(s): CWE-119 CWE-121

Affected Products

tenda

m3 firmware

1.0.0.13\(4903\)

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a buffer overflow in the web management interface (/goform/exeCommand) of a public-facing router, enabling remote arbitrary code execution, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/dwBruijn/CVEs/blob/main/Tenda/execCommand.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.338643
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.338643
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.725498
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com