CVE-2025-15371

Summary

A vulnerability has been found in Tenda i24, 4G03 Pro, 4G05, 4G08, G0-8G-PoE, Nova MW5G and TEG5328F up to 65.10.15.6. Affected is an unknown function of the component Shadow File. Such manipulation with the input Fireitup leads to hard-coded credentials. An attack has to be approached locally. The exploit has been disclosed to the public and may be used.

Affected Software

VendorProductVersion RangeStatus
Tendai241.0.0.35affected
Tendai243.0.0.8(4008)affected
Tendai2404.03.01.49affected
Tendai2404.05.01.15affected
Tendai2404.08.01.28affected
Tendai2416.01.8.5affected
Tendai2465.10.15.6affected
Tenda4G03 Pro1.0.0.35affected
Tenda4G03 Pro3.0.0.8(4008)affected
Tenda4G03 Pro04.03.01.49affected
Tenda4G03 Pro04.05.01.15affected
Tenda4G03 Pro04.08.01.28affected
Tenda4G03 Pro16.01.8.5affected
Tenda4G03 Pro65.10.15.6affected
Tenda4G051.0.0.35affected
Tenda4G053.0.0.8(4008)affected
Tenda4G0504.03.01.49affected
Tenda4G0504.05.01.15affected
Tenda4G0504.08.01.28affected
Tenda4G0516.01.8.5affected
Tenda4G0565.10.15.6affected
Tenda4G081.0.0.35affected
Tenda4G083.0.0.8(4008)affected
Tenda4G0804.03.01.49affected
Tenda4G0804.05.01.15affected
Tenda4G0804.08.01.28affected
Tenda4G0816.01.8.5affected
Tenda4G0865.10.15.6affected
TendaG0-8G-PoE1.0.0.35affected
TendaG0-8G-PoE3.0.0.8(4008)affected
TendaG0-8G-PoE04.03.01.49affected
TendaG0-8G-PoE04.05.01.15affected
TendaG0-8G-PoE04.08.01.28affected
TendaG0-8G-PoE16.01.8.5affected
TendaG0-8G-PoE65.10.15.6affected
TendaNova MW5G1.0.0.35affected
TendaNova MW5G3.0.0.8(4008)affected
TendaNova MW5G04.03.01.49affected
TendaNova MW5G04.05.01.15affected
TendaNova MW5G04.08.01.28affected
TendaNova MW5G16.01.8.5affected
TendaNova MW5G65.10.15.6affected
TendaTEG5328F1.0.0.35affected
TendaTEG5328F3.0.0.8(4008)affected
TendaTEG5328F04.03.01.49affected
TendaTEG5328F04.05.01.15affected
TendaTEG5328F04.08.01.28affected
TendaTEG5328F16.01.8.5affected
TendaTEG5328F65.10.15.6affected

Weaknesses

  • CWE-798: Hard-coded Credentials
  • CWE-259: Use of Hard-coded Password

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References