CVE-2025-15047 – This vulnerability allows remote attackers to e... (How to Fix)

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Tenda WH450 routers by sending specially crafted HTTP requests to the PPTPDClient endpoint. Attackers can exploit a stack-based buffer overflow in the Username parameter to gain full control of affected devices. All users running vulnerable firmware versions are at risk.

💻 Affected Systems

Products:

Tenda WH450

Versions: 1.0.0.18

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerable endpoint is accessible via HTTP requests to the router's web interface.

📦 What is this software?

Wh450 Firmware by Tenda

View all CVEs affecting Wh450 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, network traffic interception, lateral movement to other devices, and botnet recruitment.

🟠

Likely Case

Remote code execution allowing attackers to modify router settings, intercept traffic, or use the device as a pivot point for further attacks.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering, though internal network compromise remains possible.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept demonstrates reliable exploitation. No authentication required to trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates
2. Download latest firmware for WH450
3. Log into router admin interface
4. Navigate to firmware upgrade section
5. Upload and apply new firmware
6. Reboot router after update completes

🔧 Temporary Workarounds

Network Segmentation

all

Isolate vulnerable routers from critical network segments

Access Control Lists

linux

Block external access to router web interface

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Replace vulnerable devices with supported models
Implement strict network monitoring for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under System Status or About page

Check Version:

curl -s http://router-ip/goform/getStatus | grep version

Verify Fix Applied:

Verify firmware version is newer than 1.0.0.18

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP POST requests to /goform/PPTPDClient
Large Username parameter values in web logs
Router reboot events

Network Indicators:

HTTP requests with oversized Username parameters
Traffic to router on port 80 from unexpected sources

SIEM Query:

source="router-logs" AND uri="/goform/PPTPDClient" AND username.length>100

📊 Metadata

CVE ID: CVE-2025-15047

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

EPSS Score: 0.14% exploit probability (33.9th percentile)

Published: December 23, 2025

Last Updated: February 24, 2026

🔗 References

https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/PPTPDClient/PPTPDClient.md Exploit,Third Party Advisory
https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/PPTPDClient/PPTPDClient.md#reproduce Exploit
https://vuldb.com/?ctiid.337852 Permissions Required,VDB Entry
https://vuldb.com/?id.337852 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.720884 Third Party Advisory,VDB Entry
https://www.tenda.com.cn/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15047, you might also want to check these: