Cyber Resilience

CVE-2025-15472

HighPublic PoCRCE

Published: 07 January 2026

Published
07 January 2026
Modified
15 January 2026
KEV Added
Patch
CVSS Score v4 7.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0151 81.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-15472 is a high-severity Command Injection (CWE-77) vulnerability in Trendnet Tew-811Dru Firmware. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

A command injection vulnerability exists in the TRENDnet TEW-811DRU router running firmware version 1.0.2.0. The flaw resides in the setDeviceURL function of the uapply.cgi file within the httpd component and stems from unsanitized handling of the DeviceURL argument, corresponding to CWE-77 and CWE-78. Successful exploitation allows operating-system command execution on the device.

An authenticated remote attacker can trigger the issue over the network without user interaction by supplying a malicious DeviceURL value. The attack yields high impact on confidentiality, integrity, and availability of the affected router, with a CVSS 4.0 score of 7.3. A working exploit has been made public.

No vendor advisory, patch, or mitigation guidance has been issued; the vendor was notified prior to disclosure but did not respond. Public references consist of technical write-ups on Vuldb and a Notion page that document the vulnerability and proof-of-concept.

The associated EPSS score has remained low, moving only from 0.0151 to a peak of 0.0162.

EU & UK References

Vulnerability details

A flaw has been found in TRENDnet TEW-811DRU 1.0.2.0. This affects the function setDeviceURL of the file uapply.cgi of the component httpd . This manipulation of the argument DeviceURL causes os command injection. The attack can be initiated remotely. The…

more

exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

OS command injection in public-facing httpd component directly enables remote exploitation of the application (T1190) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-7609Same vendor: Trendnet
CVE-2026-5352Same vendor: Trendnet
CVE-2026-5354Same vendor: Trendnet
CVE-2025-15471Same vendor: Trendnet
CVE-2024-57590Same vendor: Trendnet
CVE-2024-46484Same vendor: Trendnet
CVE-2026-5353Same vendor: Trendnet
CVE-2026-5355Same vendor: Trendnet
CVE-2026-5351Same vendor: Trendnet
CVE-2025-15139Same vendor: Trendnet

Affected Assets

trendnet
tew-811dru firmware
1.0.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks OS command injection by requiring validation and sanitization of the DeviceURL argument before it reaches setDeviceURL in uapply.cgi.

prevent

Limits the high-privilege (PR:H) accounts that can reach the vulnerable httpd function, reducing the population able to supply a malicious DeviceURL.

prevent

Requires prompt application of firmware patches that remediate the command-injection flaw in the setDeviceURL handler once a fix becomes available.

References