Cyber Posture

CVE-2025-15472

HighPublic PoCRCE

Published: 07 January 2026

Published
07 January 2026
Modified
15 January 2026
KEV Added
Patch
CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0082 74.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-15472 is a high-severity Command Injection (CWE-77) vulnerability in Trendnet Tew-811Dru Firmware. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SC-27 Platform-independent Applications
addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

SI-10 Information Input Validation
addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

OS command injection in public-facing httpd component directly enables remote exploitation of the application (T1190) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A flaw has been found in TRENDnet TEW-811DRU 1.0.2.0. This affects the function setDeviceURL of the file uapply.cgi of the component httpd . This manipulation of the argument DeviceURL causes os command injection. The attack can be initiated remotely. The…

more

exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Deeper analysisAI

CVE-2025-15472 is an OS command injection vulnerability in the TRENDnet TEW-811DRU router running firmware version 1.0.2.0. The flaw resides in the setDeviceURL function within the uapply.cgi file of the httpd component, where manipulation of the DeviceURL argument enables command injection. Associated with CWE-77 (Command Injection) and CWE-78 (OS Command Injection), it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

The vulnerability can be exploited remotely by attackers who possess high privileges, such as administrative access to the device. Successful exploitation allows arbitrary OS command execution, potentially resulting in high impacts to confidentiality, integrity, and availability, including full system compromise.

Advisories indicate that an exploit has been published and may be actively used, with references available at sites like VulDB and a Notion page detailing the issue. The vendor was contacted early regarding disclosure but provided no response, and no patches or mitigations are mentioned in the available information.

Details

CWE(s)
CWE-77CWE-78

Affected Products

trendnet
tew-811dru firmware
1.0.2.0

CVEs Like This One

CVE-2026-5354Same vendor: Trendnet
CVE-2025-15471Same vendor: Trendnet
CVE-2026-5352Same vendor: Trendnet
CVE-2024-57590Same vendor: Trendnet
CVE-2026-5351Same vendor: Trendnet
CVE-2026-5353Same vendor: Trendnet
CVE-2026-5355Same vendor: Trendnet
CVE-2026-5349Same vendor: Trendnet
CVE-2026-7609Same vendor: Trendnet
CVE-2025-15139Same vendor: Trendnet

References