CVE-2025-15472
Published: 07 January 2026
Summary
CVE-2025-15472 is a high-severity Command Injection (CWE-77) vulnerability in Trendnet Tew-811Dru Firmware. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
A command injection vulnerability exists in the TRENDnet TEW-811DRU router running firmware version 1.0.2.0. The flaw resides in the setDeviceURL function of the uapply.cgi file within the httpd component and stems from unsanitized handling of the DeviceURL argument, corresponding to CWE-77 and CWE-78. Successful exploitation allows operating-system command execution on the device.
An authenticated remote attacker can trigger the issue over the network without user interaction by supplying a malicious DeviceURL value. The attack yields high impact on confidentiality, integrity, and availability of the affected router, with a CVSS 4.0 score of 7.3. A working exploit has been made public.
No vendor advisory, patch, or mitigation guidance has been issued; the vendor was notified prior to disclosure but did not respond. Public references consist of technical write-ups on Vuldb and a Notion page that document the vulnerability and proof-of-concept.
The associated EPSS score has remained low, moving only from 0.0151 to a peak of 0.0162.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206249
Vulnerability details
A flaw has been found in TRENDnet TEW-811DRU 1.0.2.0. This affects the function setDeviceURL of the file uapply.cgi of the component httpd . This manipulation of the argument DeviceURL causes os command injection. The attack can be initiated remotely. The…
more
exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in public-facing httpd component directly enables remote exploitation of the application (T1190) and arbitrary Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks OS command injection by requiring validation and sanitization of the DeviceURL argument before it reaches setDeviceURL in uapply.cgi.
Limits the high-privilege (PR:H) accounts that can reach the vulnerable httpd function, reducing the population able to supply a malicious DeviceURL.
Requires prompt application of firmware patches that remediate the command-injection flaw in the setDeviceURL handler once a fix becomes available.