CVE-2025-63666
📋 TL;DR
The Tenda AC15 router firmware exposes password hashes in authentication cookies and uses weak session identifiers, allowing attackers to steal and replay cookies for unauthorized access. This affects Tenda AC15 routers running vulnerable firmware versions. Attackers with network access or ability to execute JavaScript in victim browsers can exploit this.
💻 Affected Systems
- Tenda AC15
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of router administration, allowing attacker to change configurations, intercept traffic, install malware, or pivot to internal networks.
Likely Case
Unauthorized access to router admin interface leading to network configuration changes, DNS hijacking, or credential theft.
If Mitigated
Limited impact if router is behind firewall with restricted access and strong network segmentation.
🎯 Exploit Status
Exploitation requires network access to the router or ability to run JavaScript in victim's browser. Cookie theft and replay is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
Check Tenda official website for firmware updates. If available, download latest firmware and upload via router admin interface under System Tools > Firmware Upgrade.
🔧 Temporary Workarounds
Disable remote administration
allPrevent external access to router admin interface
Login to router admin > Advanced > System Tools > Remote Management > Disable
Change default admin credentials
allUse strong, unique password for router administration
Login to router admin > Advanced > System Tools > Password > Set new strong password
🧯 If You Can't Patch
- Place router behind firewall with strict inbound rules blocking access to admin interface
- Implement network segmentation to isolate router management traffic
🔍 How to Verify
Check if Vulnerable:
Check router firmware version in admin interface under System Status > Firmware Version. If version is v15.03.05.18_multi, device is vulnerable.Check Version:
Not applicable - check via router web interfaceVerify Fix Applied:
After firmware update, verify version has changed from v15.03.05.18_multi. Test cookie behavior by inspecting authentication cookies for password hash exposure.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful login from unusual IP
- Admin interface access from unexpected sources
Network Indicators:
- Unusual traffic to router admin port (typically 80/443)
- Cookie replay patterns from multiple IPs
SIEM Query:
source_ip=router_ip AND (url_path CONTAINS "/goform/" OR user_agent CONTAINS "unusual")