CVE-2025-15232
Published: 30 December 2025
Summary
CVE-2025-15232 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda M3 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents stack-based buffer overflow by validating mac and terminal arguments in the formSetAdPushInfo function to ensure inputs are within expected bounds.
Implements memory protection mechanisms such as stack canaries or DEP to block exploitation of the stack-based buffer overflow even if invalid inputs are processed.
Requires timely identification, reporting, and patching of the buffer overflow flaw in Tenda M3 firmware to eliminate the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a stack-based buffer overflow in a router's web interface (/goform/setAdPushInfo), enabling remote code execution via crafted requests by low-privileged authenticated users, directly mapping to exploitation of a public-facing application.
NVD Description
A vulnerability was identified in Tenda M3 1.0.0.13(4903). This vulnerability affects the function formSetAdPushInfo of the file /goform/setAdPushInfo. The manipulation of the argument mac/terminal leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit…
more
is publicly available and might be used.
Deeper analysisAI
CVE-2025-15232 is a stack-based buffer overflow vulnerability in the Tenda M3 router firmware version 1.0.0.13(4903). The flaw affects the formSetAdPushInfo function in the /goform/setAdPushInfo file, where manipulation of the mac or terminal arguments triggers the overflow. Published on 2025-12-30, it is rated 8.8 on the CVSS 3.1 scale (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).
The vulnerability enables remote exploitation by authenticated users with low privileges. Attackers can send crafted requests to the affected endpoint, leading to potential arbitrary code execution with high impacts on confidentiality, integrity, and availability. A public exploit is available, increasing the risk of widespread abuse.
VulDB advisories (ctiid.338628, id.338628, submit.725494) document the issue, with a detailed proof-of-concept on GitHub at dwBruijn/CVEs/blob/main/Tenda/setAdPushInfo.md. No specific patches or mitigations are detailed in the references; security practitioners should check the Tenda website (tenda.com.cn) for firmware updates and consider network segmentation or disabling the endpoint where possible.
Details
- CWE(s)