CVE-2025-63666
Published: 12 November 2025
Summary
CVE-2025-63666 is a critical-severity Improper Access Control (CWE-284) vulnerability in Tenda Ac15 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Password Cracking (T1110.002); ranked at the 28.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-23 (Session Authenticity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates replay of stolen authentication cookies by requiring session authenticity mechanisms such as nonces, timestamps, or cryptographic checksums to prevent unauthorized reuse.
Prevents exposure of the account password hash in client-accessible cookies by mandating protection of authenticator content from unauthorized disclosure.
Remediates the firmware flaw issuing insecure cookies with exposed hashes and low-entropy session IDs through timely identification, reporting, and correction.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability exposes MD5 password hash in an insecure cookie (no HttpOnly/Secure/SameSite), enabling session cookie theft via network/JS (T1539), offline cracking of exposed hash (T1110.002), and replay of stolen cookie for authentication (T1550.004).
NVD Description
Tenda AC15 v15.03.05.18_multi) issues an authentication cookie that exposes the account password hash to the client and uses a short, low-entropy suffix as the session identifier. An attacker with network access or the ability to run JS in a victim…
more
browser can steal the cookie and replay it to access protected resources.
Deeper analysisAI
CVE-2025-63666 is a critical authentication vulnerability (CVSS 3.1 score of 9.8) affecting the Tenda AC15 router running firmware version v15.03.05.18_multi. The flaw stems from the issuance of an authentication cookie that exposes the account password hash directly to the client, combined with a short, low-entropy suffix used as the session identifier. This violates proper access control principles (CWE-284), enabling unauthorized persistence and reuse of credentials.
An attacker requires only network access to the router or the ability to execute JavaScript in a victim's browser to exploit this issue. By stealing the cookie—via network interception or client-side script injection—the attacker can replay it to impersonate the victim and access protected administrative resources, potentially leading to full compromise of the device including high confidentiality, integrity, and availability impacts as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Mitigation details and further technical analysis are available in the primary advisory reference at https://github.com/Remenis/CVE-2025-63666.
Details
- CWE(s)