A critical remote code execution vulnerability, identified as CVE-2025-15006, affects multiple Tenda products. The flaw allows an unauthenticated remote attacker to take complete control of a vulnerable device by sending a specially crafted request. Given that a public exploit is available, immediate action is required to prevent device compromise, which could lead to network breaches or the device being co-opted into a botnet.

This vulnerability is a stack-based buffer overflow within the HTTP Request Handler component of the device's firmware. Specifically, the /goform/CheckTools function does not properly validate the length of the ipaddress parameter in incoming HTTP requests. An unauthenticated remote attacker can exploit this by sending a request with an overly long string in the ipaddress parameter, overflowing the stack buffer, overwriting the return address, and achieving arbitrary code execution with the privileges of the web server process.

This vulnerability is rated critical with a CVSS score of 9.8. Successful exploitation would result in a complete compromise of the affected Tenda device, granting the attacker full administrative control. This could lead to severe consequences, including the interception of sensitive network traffic, unauthorized access to the internal network, using the device as a pivot point for further attacks, or incorporating it into a botnet for use in Distributed Denial-of-Service (DDoS) attacks. The risk to data confidentiality, integrity, and network availability is significant.

Immediate Action: Update A weakness has been identified in Tenda Multiple Products to the latest version. Prioritize patching for all internet-facing devices immediately. After patching, monitor for exploitation attempts and review access logs for any suspicious requests targeting the /goform/CheckTools endpoint.

Proactive Monitoring: Monitor web server and network logs for HTTP requests to the /goform/CheckTools endpoint containing an abnormally long ipaddress parameter. Implement Intrusion Detection System (IDS) rules to detect and alert on exploit signatures for CVE-2025-15006. Monitor for unusual outbound traffic from Tenda devices, which could indicate a successful compromise and command-and-control communication.

Compensating Controls: If immediate patching is not feasible, restrict access to the device's web management interface from the internet. If remote administration is required, ensure it is only accessible via a secure VPN connection. Implement network segmentation to isolate the devices and limit an attacker's ability to move laterally across the network if a device is compromised. A Web Application Firewall (WAF) may be configured to block malicious requests to the vulnerable endpoint.

Public Exploit Available: true

Given the critical severity (CVSS 9.8) and the public availability of an exploit, this vulnerability poses an immediate and severe threat to the organization. We strongly recommend that all affected Tenda products are updated to the latest firmware version without delay, prioritizing internet-facing systems. The lack of CISA KEV status should not reduce the urgency of this action. Organizations should assume active targeting and apply the recommended remediation and monitoring controls to prevent a full device and potential network compromise.