CVE-2025-15048 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2025-15048?

CVE-2025-15048 has a CVSS score of 7.3 (HIGH). This vulnerability allows remote attackers to execute arbitrary commands on Tenda WH450 routers by injecting malicious input into the 'ipaddress' parameter of the HTTP request handler. Attackers can exploit this without authentication to gain control of affected devices. Users running Tenda WH450 firmware version 1.0.0.18 are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on Tenda WH450 routers by injecting malicious input into the 'ipaddress' parameter of the HTTP request handler. Attackers can exploit this without authentication to gain control of affected devices. Users running Tenda WH450 firmware version 1.0.0.18 are affected.

💻 Affected Systems

Products:

Tenda WH450

Versions: 1.0.0.18

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default configuration of the HTTP request handler component.

📦 What is this software?

Wh450 Firmware by Tenda

View all CVEs affecting Wh450 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to intercept network traffic, install persistent backdoors, pivot to internal networks, or use the device for botnet activities.

🟠

Likely Case

Remote code execution leading to router compromise, credential theft, DNS hijacking, and network surveillance.

🟢

If Mitigated

Limited impact if network segmentation isolates the router and external access is restricted.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable via HTTP requests, making internet-facing devices immediately vulnerable.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability to pivot through the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept demonstrates command injection via crafted HTTP requests to /goform/CheckTools endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

Check Tenda's official website for firmware updates. If available, download and install the latest firmware through the router's web interface.

🔧 Temporary Workarounds

Block External Access

all

Prevent external access to the router's web interface by configuring firewall rules to block inbound HTTP/HTTPS traffic to the router from untrusted networks.

Network Segmentation

all

Isolate the router on a separate VLAN to limit potential lateral movement if compromised.

🧯 If You Can't Patch

Replace affected devices with patched or alternative models
Implement strict network monitoring and intrusion detection for suspicious HTTP requests to /goform/CheckTools

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in web interface under System Status or System Tools. If version is 1.0.0.18, the device is vulnerable.

Check Version:

Not applicable - check via router web interface

Verify Fix Applied:

Verify firmware version has been updated to a version later than 1.0.0.18.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /goform/CheckTools with unusual ipaddress parameters containing shell metacharacters
Unusual command execution in router logs

Network Indicators:

HTTP POST requests to /goform/CheckTools with command injection payloads in ipaddress parameter
Outbound connections from router to unexpected destinations

SIEM Query:

http.url:"/goform/CheckTools" AND http.param.ipaddress:("|" OR ";" OR "&" OR "`" OR "$")

📊 Metadata

CVE ID: CVE-2025-15048

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.86% exploit probability (74.6th percentile)

Published: December 23, 2025

Last Updated: February 24, 2026

🔗 References

https://github.com/z472421519/BinaryAudit/blob/main/PoC/CMD/Tenda_WH450/CheckTools/CheckTools.md Exploit,Third Party Advisory
https://github.com/z472421519/BinaryAudit/blob/main/PoC/CMD/Tenda_WH450/CheckTools/CheckTools.md#reproduce Exploit
https://vuldb.com/?ctiid.337853 Permissions Required,VDB Entry
https://vuldb.com/?id.337853 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.720885 Third Party Advisory,VDB Entry
https://www.tenda.com.cn/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15048, you might also want to check these: