CVE-2025-15254

MediumPublic PoC

Published: 30 December 2025

Published

30 December 2025

Modified

24 February 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0103 77.4th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was found in Tenda W6-S 1.0.0.4(510). This affects the function TendaAte of the file /goform/ate of the component ATE Service. Performing a manipulation results in os command injection. The attack may be initiated remotely. The exploit has been…

made public and could be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents OS command injection vulnerability by requiring validation and sanitization of inputs to the TendaAte function in /goform/ate.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation through firmware patching to eliminate the command injection vulnerability in Tenda W6-S 1.0.0.4(510).

AC-6 Least Privilege partial match

prevent

Enforces least privilege to limit the scope and impact of arbitrary OS commands executed via the low-privilege remote access exploitation.

Security SummaryAI

CVE-2025-15254 is an OS command injection vulnerability (CWE-77, CWE-78) discovered in Tenda W6-S router firmware version 1.0.0.4(510), published on 2025-12-30. The issue resides in the TendaAte function of the /goform/ate file within the ATE Service component, where manipulation leads to arbitrary command execution.

The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating exploitation over the network with low complexity, requiring low privileges but no user interaction. A remote attacker with such access can inject OS commands, potentially resulting in limited impacts to confidentiality, integrity, and availability.

Advisories and related resources, including VulDB entries (ctiid.338644, id.338644, submit.725499) and a GitHub repository detailing the exploit at github.com/dwBruijn/CVEs/blob/main/Tenda/ate.md, provide further technical details. The manufacturer's site at tenda.com.cn may offer patch information, though specifics are not detailed in the CVE description.

The exploit has been made public and could be used, increasing the risk for unpatched Tenda W6-S devices.

Details

CWE(s): CWE-77 CWE-78

Affected Products

tenda

w6-s firmware

1.0.0.4\(510\)

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

CVE enables exploitation of public-facing web application (router firmware) via command injection, directly facilitating Network Device CLI abuse for arbitrary OS command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/dwBruijn/CVEs/blob/main/Tenda/ate.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.338644
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.338644
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.725499
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com