CVE-2025-15371
📋 TL;DR
This vulnerability in Tenda networking devices allows local attackers to access hard-coded credentials through manipulation of the Shadow File component. Attackers with local access can exploit this to gain unauthorized access to device credentials. Affected devices include Tenda i24, 4G03 Pro, 4G05, 4G08, G0-8G-PoE, Nova MW5G and TEG5328F.
💻 Affected Systems
- Tenda i24
- Tenda 4G03 Pro
- Tenda 4G05
- Tenda 4G08
- Tenda G0-8G-PoE
- Tenda Nova MW5G
- Tenda TEG5328F
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains administrative access to the device, enabling complete device takeover, credential harvesting, network pivoting, and potential lateral movement within the network.
Likely Case
Local attacker obtains device credentials, enabling unauthorized access to device configuration, network settings modification, and potential privilege escalation.
If Mitigated
With proper network segmentation and access controls, impact limited to isolated device compromise without network-wide consequences.
🎯 Exploit Status
Exploit requires local access to the device. Public disclosure of exploit details increases likelihood of weaponization. Attack involves manipulating the Fireitup input to access hard-coded credentials in Shadow File.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Monitor Tenda vendor website for security updates and firmware releases. Check for firmware updates through device administration interface.
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected devices in separate network segments to limit lateral movement potential
Access Control Restrictions
allImplement strict physical and network access controls to prevent unauthorized local access
🧯 If You Can't Patch
- Replace affected devices with updated models or different vendors
- Implement network monitoring and anomaly detection for credential access attempts
🔍 How to Verify
Check if Vulnerable:
Check device firmware version through web interface or CLI. If version is 65.10.15.6 or earlier, device is vulnerable.Check Version:
Check device web interface under System Status or use vendor-specific CLI commands for firmware versionVerify Fix Applied:
Verify firmware version has been updated beyond 65.10.15.6. Test local access controls to ensure unauthorized credential access is prevented.📡 Detection & Monitoring
Log Indicators:
- Unusual local access attempts
- Multiple failed authentication attempts followed by successful access
- Shadow file access logs showing unauthorized manipulation
Network Indicators:
- Unexpected administrative access from non-standard locations
- Network configuration changes from unauthorized sources
SIEM Query:
source="tenda_device" AND (event="shadow_file_access" OR event="fireitup_manipulation")🔗 References
- https://github.com/vuln-1/vuln/blob/main/Tenda/i24v3.0_V3.0.0.8/report-1.md
- https://vuldb.com/?ctiid.339075
- https://vuldb.com/?id.339075
- https://vuldb.com/?submit.727155
- https://vuldb.com/?submit.727283
- https://vuldb.com/?submit.727284
- https://vuldb.com/?submit.727285
- https://vuldb.com/?submit.727302
- https://vuldb.com/?submit.727305
- https://vuldb.com/?submit.727306
- https://www.tenda.com.cn/
