CVE-2025-15234
Published: 30 December 2025
Summary
CVE-2025-15234 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda M3 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of information inputs such as portIp, portMask, portGateWay, portDns, and portSecDns to prevent heap-based buffer overflows from malformed data in formSetRemoteInternetLanInfo.
Mandates timely identification, reporting, and patching of the specific heap buffer overflow flaw in Tenda M3 firmware version 1.0.0.13(4903).
Implements memory safeguards like address space layout randomization and non-executable memory to block arbitrary code execution from heap buffer overflow exploits.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap-based buffer overflow in public-facing web interface (/goform/setInternetLanInfo) of Tenda M3 router firmware enables remote code execution, directly mapping to exploitation of public-facing applications.
NVD Description
A weakness has been identified in Tenda M3 1.0.0.13(4903). Impacted is the function formSetRemoteInternetLanInfo of the file /goform/setInternetLanInfo. This manipulation of the argument portIp/portMask/portGateWay/portDns/portSecDns causes heap-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been…
more
made available to the public and could be used for attacks.
Deeper analysisAI
CVE-2025-2025-15234 is a heap-based buffer overflow vulnerability (CWE-119, CWE-122) in Tenda M3 firmware version 1.0.0.13(4903). The flaw affects the formSetRemoteInternetLanInfo function in the /goform/setInternetLanInfo file, where manipulation of arguments including portIp, portMask, portGateWay, portDns, and portSecDns triggers the overflow.
The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it can be exploited remotely by an attacker with low privileges, low attack complexity, and no user interaction. Successful exploitation grants high impacts on confidentiality, integrity, and availability, potentially allowing arbitrary code execution.
Advisories and details are documented on VulDB (ctiid.338630, id.338630, submit.725496) and a public proof-of-concept exploit is hosted at https://github.com/dwBruijn/CVEs/blob/main/Tenda/setRemoteInternetLanInfo.md, with the vendor site at https://www.tenda.com.cn/. The exploit's public availability heightens the risk of real-world attacks, as published on 2025-12-30.
Details
- CWE(s)