A critical remote code execution vulnerability, identified as CVE-2025-15047, has been discovered in multiple Tenda products. This flaw allows an unauthenticated attacker to take complete control of an affected device over the network by sending a specially crafted request, posing a severe risk of data compromise, network disruption, and further intrusions into the connected network.

The vulnerability is a stack-based buffer overflow within the HTTP Request Handler component of the device's firmware. A remote, unauthenticated attacker can exploit this by sending a crafted HTTP POST request to the /goform/PPTPDClient endpoint with an overly long value in the Username parameter. This action overflows the buffer on the stack, allowing the attacker to overwrite critical control structures and execute arbitrary code with the privileges of the device's web server, typically root.

This vulnerability is rated as critical severity with a CVSS score of 9.8, reflecting the ease of exploitation and the potential for complete system compromise. Successful exploitation would grant an attacker full administrative control over the affected Tenda device. This could lead to severe consequences, including the theft of sensitive network traffic, installation of persistent malware, pivoting to attack other internal network assets, and using the compromised device as part of a botnet for DDoS attacks. The direct risks to the organization include loss of data confidentiality, integrity, and availability of network services.

Immediate Action: The primary remediation is to update the firmware on all affected Tenda devices. Organizations must immediately identify vulnerable devices and apply the patches provided by the vendor. The vendor's official recommendation is to: Update A vulnerability was found in Tenda Multiple Products to the latest version.

Proactive Monitoring: Security teams should actively monitor for signs of compromise. This includes reviewing web server access logs for anomalous requests to the /goform/PPTPDClient endpoint, specifically looking for POST requests with abnormally long Username parameters. Monitor network traffic for unusual outbound connections from Tenda devices and watch for unexpected system behavior such as high CPU utilization or reboots.

Compensating Controls: If patching cannot be performed immediately, implement the following controls to reduce risk:

• Restrict access to the device's web management interface to trusted internal networks only. Do not expose the management interface to the internet.
• Implement network segmentation to isolate the Tenda devices from critical network assets, limiting the potential impact of a compromise.
• If a Web Application Firewall (WAF) is in place, create a rule to block or alert on requests to /goform/PPTPDClient that contain a Username field exceeding a reasonable length.

Public Exploit Available: true

Given the critical CVSS score of 9.8, the remote and unauthenticated nature of the exploit, and the public availability of exploit code, this vulnerability poses an immediate and severe threat. Organizations are strongly urged to prioritize the patching of all affected Tenda devices without delay. Although this CVE is not currently listed on the CISA KEV catalog, its characteristics make it a prime candidate for active exploitation. All remediation and monitoring actions should be treated with the highest urgency to prevent a potential compromise.