CVE-2025-15233
Published: 30 December 2025
Summary
CVE-2025-15233 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda M3 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the heap buffer overflow by identifying, reporting, and correcting the flaw in the formSetAdInfoDetails function through patching.
Requires validation of manipulated arguments like adName and smsPassword to prevent heap buffer overflows from invalid inputs.
Implements memory safeguards such as non-executable heap regions and address space randomization to mitigate exploitation of the heap buffer overflow for arbitrary code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap-based buffer overflow in public-facing web endpoint (/goform/setAdInfoDetail) on router firmware enables remote arbitrary code execution, directly facilitating T1190: Exploit Public-Facing Application.
NVD Description
A security flaw has been discovered in Tenda M3 1.0.0.13(4903). This issue affects the function formSetAdInfoDetails of the file /goform/setAdInfoDetail. The manipulation of the argument adName/smsPassword/smsAccount/weixinAccount/weixinName/smsSignature/adRedirectUrl/adCopyRight/smsContent/adItemUID results in heap-based buffer overflow. The attack may be performed from remote. The exploit…
more
has been released to the public and may be used for attacks.
Deeper analysisAI
CVE-2025-15233 is a heap-based buffer overflow vulnerability affecting the formSetAdInfoDetails function in the /goform/setAdInfoDetail file of Tenda M3 firmware version 1.0.0.13(4903). The flaw arises from manipulation of arguments such as adName, smsPassword, smsAccount, weixinAccount, weixinName, smsSignature, adRedirectUrl, adCopyRight, smsContent, and adItemUID, as classified under CWE-119 and CWE-122.
The vulnerability enables remote exploitation by attackers with low privileges (PR:L), requiring network access and low attack complexity but no user interaction. With a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), successful exploitation can result in high impacts to confidentiality, integrity, and availability, potentially leading to arbitrary code execution on the affected device.
VulDB advisories (ctiid.338629, id.338629, submit.725495) document the issue, while a GitHub repository at dwBruijn/CVEs/blob/main/Tenda/setAdInfoDetail.md provides a publicly released exploit. The Tenda vendor site at tenda.com.cn is referenced for further details, though no specific patches are detailed in available sources.
The exploit's public release heightens the risk of real-world attacks against unpatched Tenda M3 devices.
Details
- CWE(s)