CVE-2025-15255

CriticalPublic PoC

Published: 30 December 2025

Published

30 December 2025

Modified

24 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0050 66.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was determined in Tenda W6-S 1.0.0.4(510). This impacts an unknown function of the file /bin/httpd of the component R7websSsecurityHandler. Executing a manipulation of the argument Cookie can lead to stack-based buffer overflow. The attack may be launched remotely.…

The exploit has been publicly disclosed and may be utilized.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation requires applying vendor patches or updates to fix the stack-based buffer overflow in the httpd R7websSsecurityHandler component.

SI-10 Information Input Validation good match

prevent

Information input validation enforces proper bounds checking on the Cookie argument to prevent the buffer overflow exploitation.

SI-16 Memory Protection good match

prevent

Memory protection mechanisms like stack canaries, ASLR, and DEP mitigate successful exploitation of the stack-based buffer overflow.

Security SummaryAI

CVE-2025-15255 is a stack-based buffer overflow vulnerability affecting the Tenda W6-S router in version 1.0.0.4(510). The flaw resides in an unknown function of the /bin/httpd binary, specifically within the R7websSsecurityHandler component. It stems from improper handling of the Cookie argument, as classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).

The vulnerability enables remote exploitation over the network with low complexity, requiring no privileges, authentication, or user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, base score 9.8). An attacker can manipulate the Cookie argument to trigger the overflow, potentially achieving arbitrary code execution and full compromise of the affected device, including high impacts to confidentiality, integrity, and availability.

Advisories from VulDB (ctiid.338645, id.338645, submit.725500) and a GitHub repository (dwBruijn/CVEs/blob/main/Tenda/R7WebsSecurityHandler.md) provide further details on the issue. The Tenda vendor website (tenda.com.cn) is referenced for potential updates, though no specific patches are detailed in the disclosure.

The exploit has been publicly disclosed and may be utilized, increasing the risk for unpatched Tenda W6-S devices exposed to the internet.

Details

CWE(s): CWE-119 CWE-121

Affected Products

tenda

w6-s firmware

1.0.0.4\(510\)

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Stack-based buffer overflow in the public-facing httpd web server of the Tenda W6-S router, exploitable remotely via manipulated Cookie header without authentication or privileges, directly enabling arbitrary code execution through exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/dwBruijn/CVEs/blob/main/Tenda/R7WebsSecurityHandler.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.338645
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.338645
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.725500
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com
https://github.com/dwBruijn/CVEs/blob/main/Tenda/R7WebsSecurityHandler.md
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0