CVE-2025-15254

MediumPublic PoC

Published: 30 December 2025

Published

30 December 2025

Modified

24 February 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0103 77.6th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-15254 is a medium-severity Command Injection (CWE-77) vulnerability in Tenda W6-S Firmware. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents OS command injection vulnerability by requiring validation and sanitization of inputs to the TendaAte function in /goform/ate.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation through firmware patching to eliminate the command injection vulnerability in Tenda W6-S 1.0.0.4(510).

AC-6 Least Privilege partial match

prevent

Enforces least privilege to limit the scope and impact of arbitrary OS commands executed via the low-privilege remote access exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

CVE enables exploitation of public-facing web application (router firmware) via command injection, directly facilitating Network Device CLI abuse for arbitrary OS command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A vulnerability was found in Tenda W6-S 1.0.0.4(510). This affects the function TendaAte of the file /goform/ate of the component ATE Service. Performing a manipulation results in os command injection. The attack may be initiated remotely. The exploit has been…

made public and could be used.

Deeper analysisAI

CVE-2025-15254 is an OS command injection vulnerability (CWE-77, CWE-78) discovered in Tenda W6-S router firmware version 1.0.0.4(510), published on 2025-12-30. The issue resides in the TendaAte function of the /goform/ate file within the ATE Service component, where manipulation leads to arbitrary command execution.

The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating exploitation over the network with low complexity, requiring low privileges but no user interaction. A remote attacker with such access can inject OS commands, potentially resulting in limited impacts to confidentiality, integrity, and availability.

Advisories and related resources, including VulDB entries (ctiid.338644, id.338644, submit.725499) and a GitHub repository detailing the exploit at github.com/dwBruijn/CVEs/blob/main/Tenda/ate.md, provide further technical details. The manufacturer's site at tenda.com.cn may offer patch information, though specifics are not detailed in the CVE description.

The exploit has been made public and could be used, increasing the risk for unpatched Tenda W6-S devices.

Details

CWE(s): CWE-77 CWE-78

Affected Products

tenda

w6-s firmware

1.0.0.4\(510\)

CVEs Like This One

CVE-2025-15255Same product: Tenda W6-S

CVE-2025-28221Same product: Tenda W6-S

CVE-2025-1819Same vendor: Tenda

CVE-2025-28220Same product: Tenda W6-S

CVE-2025-10442Same vendor: Tenda

CVE-2025-25632Same vendor: Tenda

CVE-2026-38835Same vendor: Tenda

CVE-2026-31255Same vendor: Tenda

CVE-2026-8264Same vendor: Tenda

CVE-2026-8259Same vendor: Tenda

References

https://github.com/dwBruijn/CVEs/blob/main/Tenda/ate.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.338644
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.338644
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.725499
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com