A critical remote code execution vulnerability, identified as CVE-2025-15007, exists in multiple Tenda products. The flaw allows a remote, unauthenticated attacker to take complete control of an affected device by sending a specially crafted web request, posing a severe risk to network security and data confidentiality.

A stack-based buffer overflow vulnerability exists in the HTTP Request Handler component of the device's firmware. An unauthenticated, remote attacker can exploit this by sending a crafted HTTP request to the /goform/L7Im endpoint with an overly long value in the page argument. This overflows the buffer on the stack, allowing the attacker to overwrite critical program data and achieve arbitrary code execution with the privileges of the web server process, typically root.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation allows an attacker to gain full administrative control over the affected network device. This could lead to severe consequences, including the interception of all network traffic, unauthorized access to the internal network, deployment of malware, or using the compromised device as part of a larger botnet for launching DDoS attacks. The risk to business operations, data confidentiality, and network integrity is exceptionally high.

Immediate Action: Immediately apply the latest firmware updates provided by Tenda to all affected devices. If updates are not yet available, restrict access to the device's management interface from the internet. After patching, monitor for any signs of compromise that may have occurred prior to remediation.

Proactive Monitoring: Security teams should actively monitor network logs for inbound HTTP requests targeting the /goform/L7Im endpoint. Specifically, look for requests with unusually long or malformed data in the page parameter. Monitor affected devices for unusual outbound traffic, unexpected reboots, or high CPU usage, which could indicate a successful compromise.

Compensating Controls: If patching is not immediately possible, implement the following controls:

• Use a Web Application Firewall (WAF) or Intrusion Prevention System (IPS) with rules to block malicious requests to the /goform/L7Im path.
• Restrict access to the device's web administration interface to a trusted internal management network only.
• Segment the network to isolate the Tenda device, limiting the potential impact of a compromise on other critical systems.

Public Exploit Available: true

Given the critical severity (CVSS 9.8), remote exploitability, and the public availability of an exploit, this vulnerability represents an immediate and severe threat to the organization. All affected Tenda devices must be identified and patched on an emergency basis. Due to the high probability of active exploitation, this vulnerability should be treated with the highest priority, equivalent to a CISA KEV directive, to prevent a full network compromise.