CVE-2025-15472 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2025-15472?

CVE-2025-15472 has a CVSS score of 7.2 (HIGH). This vulnerability allows remote attackers to execute arbitrary operating system commands on TRENDnet TEW-811DRU routers by manipulating the DeviceURL parameter in the uapply.cgi file. The attack can be performed without authentication and affects devices running firmware version 1.0.2.0. Anyone using this specific router model with the vulnerable firmware is at risk.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary operating system commands on TRENDnet TEW-811DRU routers by manipulating the DeviceURL parameter in the uapply.cgi file. The attack can be performed without authentication and affects devices running firmware version 1.0.2.0. Anyone using this specific router model with the vulnerable firmware is at risk.

💻 Affected Systems

Products:

TRENDnet TEW-811DRU

Versions: 1.0.2.0

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: The web interface is typically enabled by default on these routers, making them immediately vulnerable if exposed to the internet.

📦 What is this software?

Tew 811dru Firmware by Trendnet

View all CVEs affecting Tew 811dru Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to install persistent backdoors, intercept network traffic, pivot to internal networks, or use the device for botnet activities.

🟠

Likely Case

Router takeover leading to DNS hijacking, credential theft from network traffic, or deployment of malware to connected devices.

🟢

If Mitigated

Limited impact if network segmentation isolates the router and external access is disabled, though local network attacks remain possible.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The exploit has been published and weaponized tools are likely available given the low complexity and unauthenticated nature of the attack.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch is available. The vendor did not respond to disclosure attempts. Consider replacing the device or implementing strict network controls.

🔧 Temporary Workarounds

Disable Remote Management

all

Turn off remote administration features to prevent internet-based attacks

Network Segmentation

all

Isolate the router from critical internal networks using VLANs or separate physical networks

🧯 If You Can't Patch

Replace the vulnerable router with a different model from a vendor that provides security updates
Implement strict firewall rules to block all inbound traffic to the router's web interface (typically port 80/443)

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface at http://[router-ip]/ or using command: telnet [router-ip] 80 and examine response headers

Check Version:

curl -I http://[router-ip]/ | grep Server or check web interface System Status page

Verify Fix Applied:

Since no patch exists, verification involves confirming workarounds are implemented: check that remote management is disabled and firewall rules block web interface access

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /uapply.cgi with DeviceURL parameter containing shell metacharacters
Failed authentication attempts followed by successful command execution

Network Indicators:

Outbound connections from router to suspicious IPs/domains
Unusual DNS queries from router
Traffic patterns indicating command-and-control communication

SIEM Query:

source="router.log" AND (uri="/uapply.cgi" AND (param="DeviceURL" AND value MATCHES "[;&|`$()]"))

📊 Metadata

CVE ID: CVE-2025-15472

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

EPSS Score: 0.44% exploit probability (62.6th percentile)

Published: January 7, 2026

Last Updated: January 15, 2026

🔗 References

https://pentagonal-time-3a7.notion.site/TrendNet-TEW-811DRU-2d2e5dd4c5a58016a612e99853b835f8 Exploit,Third Party Advisory
https://vuldb.com/?ctiid.339722 Permissions Required,VDB Entry
https://vuldb.com/?id.339722 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.721874 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15472, you might also want to check these: