A critical remote code execution vulnerability, identified as CVE-2025-15010, has been discovered in multiple Tenda products. An unauthenticated attacker can exploit this flaw over the network to gain complete control of an affected device, potentially leading to network traffic interception, unauthorized access to the internal network, or use of the device in a botnet. Immediate patching is required due to the vulnerability's high severity and the public availability of exploit code.

This vulnerability is a stack-based buffer overflow within the web management interface of affected Tenda devices. A remote, unauthenticated attacker can send a specially crafted HTTP request to the /goform/SafeUrlFilter endpoint. By providing an overly long string in the page argument of this request, the attacker can overwrite the program's execution stack, leading to arbitrary code execution with the privileges of the web server process, which is typically root on these embedded devices.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation allows an attacker to take complete administrative control of the affected networking device. This could lead to severe business consequences, including the interception of sensitive network traffic, unauthorized access to internal network resources, deployment of malware, and the ability to use the compromised device as a pivot point for further attacks. The device could also be co-opted into a botnet for use in Distributed Denial-of-Service (DDoS) attacks, potentially causing reputational damage and service disruption.

Immediate Action: Update A vulnerability has been found in Tenda Multiple Products to the latest version. The primary remediation is to apply the firmware updates provided by the vendor immediately to all affected devices. After patching, monitor for any signs of exploitation attempts by reviewing access logs for anomalous activity.

Proactive Monitoring: Implement network and log monitoring to detect exploitation attempts. Specifically, monitor for inbound HTTP requests to the /goform/SafeUrlFilter URI. Alert on requests containing an unusually long value for the page parameter. Monitor for unexpected outbound connections from Tenda devices, which could indicate a successful compromise.

Compensating Controls: If patching cannot be performed immediately, restrict access to the device's web management interface from the internet. If remote management is necessary, place it behind a VPN or a Web Application Firewall (WAF) configured with rules to block malicious requests targeting the vulnerable endpoint. Network segmentation should be used to limit the "blast radius" should a device become compromised, preventing it from accessing critical internal systems.

Public Exploit Available: true

Given the critical CVSS score of 9.8, the potential for remote, unauthenticated code execution, and the availability of a public exploit, this vulnerability poses an immediate and severe threat. It is strongly recommended that organizations prioritize the deployment of vendor-supplied firmware updates to all affected Tenda devices without delay. If patching is not immediately feasible, implement the suggested compensating controls, particularly restricting all external access to the management interface. Although not currently listed on the CISA KEV catalog, its characteristics make it a prime candidate for future inclusion, and it should be treated with the highest urgency.