Login Sign Up

CVE-2025-15160

7.2 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Tenda WH450 routers via a stack-based buffer overflow in the PPTPServer component. Attackers can exploit this by sending specially crafted requests to the vulnerable endpoint. All users running the affected firmware version are at risk.

💻 Affected Systems

Products:
  • Tenda WH450
Versions: 1.0.0.18
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: The PPTPServer component appears to be enabled by default in affected firmware versions.

📦 What is this software?

Wh450 Firmware by Tenda

View all CVEs affecting Wh450 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to remote code execution, network takeover, and potential lateral movement to connected devices.

🟠

Likely Case

Router compromise allowing attackers to intercept traffic, modify DNS settings, or create persistent backdoors.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted WAN access and proper network segmentation.

🌐 Internet-Facing: HIGH - Attack can be launched remotely without authentication, making exposed devices immediate targets.
🏢 Internal Only: MEDIUM - Still vulnerable to internal attackers or compromised devices on the same network.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept exists on GitHub, making exploitation straightforward for attackers with basic skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.tenda.com.cn/

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates. 2. Download latest firmware. 3. Log into router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable PPTP Server

all

Turn off the vulnerable PPTP server component if not required

Network Segmentation

all

Isolate router management interface from untrusted networks

🧯 If You Can't Patch

  • Replace affected router with different model or vendor
  • Implement strict firewall rules blocking access to port 1723 and router management interface from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is 1.0.0.18, device is vulnerable.

Check Version:

Login to router admin interface and check System Status or Firmware Version page

Verify Fix Applied:

After firmware update, verify version number has changed from 1.0.0.18 and test PPTP functionality if required.

📡 Detection & Monitoring

Log Indicators:

  • Unusual PPTP connection attempts
  • Multiple failed authentication attempts to router admin
  • Unexpected firmware or configuration changes

Network Indicators:

  • Traffic to port 1723 (PPTP) with malformed packets
  • Unusual outbound connections from router
  • DNS hijacking or redirect patterns

SIEM Query:

source="router_logs" AND ("PPTP" OR "goform/PPTPServer") AND status="error"

📊 Metadata

CVE ID: CVE-2025-15160
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119
EPSS Score: 0.14% exploit probability (34th percentile)
Published: December 28, 2025
Last Updated: December 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15160, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)