CVE-2025-15471
Published: 07 January 2026
Description
A vulnerability was detected in TRENDnet TEW-713RE 1.02. The impacted element is an unknown function of the file /goformX/formFSrvX. The manipulation of the argument SZCMD results in os command injection. It is possible to launch the attack remotely. The exploit…
more
is now public and may be used. The vendor confirms: "The product in question TEW-731RE for CVE-2025-15471 has been discontinued and end of life since October 23, 2020. We no longer provide support for this product, so we are not able to confirm the vulnerabilities. We will make an announcement on the website product support page and notify customers who registered their products with us." This vulnerability only affects products that are no longer supported by the maintainer.
Mitigating Controls (NIST 800-53 r5)AI
Prohibits the use of unsupported and end-of-life system components like the TRENDnet TEW-713RE, preventing exposure to unpatchable vulnerabilities such as this OS command injection flaw.
Requires validation of information inputs like the SZCMD argument to directly prevent OS command injection exploitation.
Mandates identification and remediation of flaws like this command injection vulnerability, which for EOL products entails isolation, decommissioning, or replacement.
Security SummaryAI
CVE-2025-15471 is an OS command injection vulnerability (CWE-77, CWE-78) in TRENDnet TEW-713RE version 1.02. The issue resides in an unknown function within the file /goformX/formFSrvX, where manipulation of the SZCMD argument enables arbitrary command execution. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high confidentiality, integrity, and availability impacts.
The vulnerability is exploitable remotely by unauthenticated attackers with network access, requiring low complexity and no user interaction. Successful exploitation allows attackers to inject and execute arbitrary operating system commands on the affected device, potentially leading to full compromise, data exfiltration, or further network pivoting.
Vendor advisories confirm that the product—identified as TEW-731RE in their statement—has been discontinued and reached end-of-life on October 23, 2020. No patches or support are available, and the vendor cannot verify the vulnerability but plans to post an announcement on the product support page and notify registered customers. This issue exclusively affects unsupported products.
The exploit is public and available for use, as noted in recent disclosures.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote OS command injection via public-facing web form directly enables T1190 (Exploit Public-Facing Application) for initial access and T1059.004 (Unix Shell) for arbitrary command execution on the embedded Linux device.