CVE-2025-7415

MediumPublic PoC

Published: 10 July 2025

Published

10 July 2025

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0531 90.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7415 is a medium-severity Injection (CWE-74) vulnerability in Tenda O3 Firmware. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents command injection by validating the 'dest' argument in the /goform/getTraceroute endpoint to ensure only legitimate traceroute destinations like IP addresses are accepted.

SI-2 Flaw Remediation good match

prevent

Ensures timely identification, reporting, and patching of the specific command injection flaw in the fromTraceroutGet function of the Tenda O3V2 httpd component.

SI-9 Information Input Restrictions good match

prevent

Enforces restrictions on the 'dest' parameter such as length, type, and patterns to block command injection payloads at the application boundary.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

T1202 Indirect Command Execution Stealth

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

attack.mitre.org →

Why these techniques?

Command injection in the httpd /goform/getTraceroute endpoint enables remote arbitrary command execution on the router via the 'dest' parameter, facilitating exploitation of public-facing web applications, remote services, network device CLI, and indirect command execution.

NVD Description

A vulnerability, which was classified as critical, has been found in Tenda O3V2 1.0.0.12(3880). This issue affects the function fromTraceroutGet of the file /goform/getTraceroute of the component httpd. The manipulation of the argument dest leads to command injection. The attack…

may be initiated remotely. The exploit has been disclosed to the public and may be used.

Deeper analysisAI

CVE-2025-7415 is a command injection vulnerability classified as critical in the Tenda O3V2 firmware version 1.0.0.12(3880). It affects the fromTraceroutGet function within the /goform/getTraceroute endpoint of the httpd component. The issue arises from improper handling of the 'dest' argument, allowing attackers to inject arbitrary commands.

The vulnerability has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and is remotely exploitable over the network with low complexity. Exploitation requires low privileges, such as an authenticated user account, and can result in limited confidentiality, integrity, and availability impacts (CWE-74, CWE-77). Attackers can manipulate the 'dest' parameter to execute commands on the device.

References include a GitHub repository detailing the vulnerability and providing a proof-of-concept exploit, as well as entries on VulDB. No specific patches or mitigation steps from vendor advisories are detailed in the available information, though the public disclosure of the exploit increases the risk of active use.

Details

CWE(s): CWE-74 CWE-77

Affected Products

tenda

o3 firmware

1.0.0.12\(3880\)

CVEs Like This One

CVE-2025-7414Same product: Tenda O3

CVE-2025-7416Same product: Tenda O3

CVE-2025-7422Same product: Tenda O3

CVE-2025-7421Same product: Tenda O3

CVE-2025-7423Same product: Tenda O3

CVE-2025-55613Same product: Tenda O3

CVE-2025-7420Same product: Tenda O3

CVE-2025-7417Same product: Tenda O3

CVE-2025-7419Same product: Tenda O3

CVE-2025-7418Same product: Tenda O3

References

https://github.com/wudipjq/my_vuln/blob/main/Tenda3/vuln_48/48.md
Exploit, Third Party Advisory · cna@vuldb.com
https://github.com/wudipjq/my_vuln/blob/main/Tenda3/vuln_48/48.md#poc
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.315875
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.315875
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.608856
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com