CVE-2025-7415
Published: 10 July 2025
Summary
CVE-2025-7415 is a low-severity Injection (CWE-74) vulnerability in Tenda O3 Firmware. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A command injection vulnerability exists in Tenda O3V2 firmware version 1.0.0.12(3880) in the fromTraceroutGet function of the /goform/getTraceroute endpoint within the httpd component. The flaw, tracked as CVE-2025-7415 and mapped to CWE-74 and CWE-77, results from insufficient sanitization of the dest argument and carries a CVSS 4.0 score of 2.1 reflecting the need for a low-privileged account.
An authenticated remote attacker can supply a malicious dest value to the affected endpoint and execute arbitrary operating-system commands on the device. Public proof-of-concept code has been released that demonstrates the injection.
The referenced disclosures on GitHub and Vuldb provide technical details and exploit artifacts but contain no information on vendor patches or mitigation steps. The associated EPSS score has remained flat at 0.0531 with no observed increase after publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21060
Vulnerability details
A vulnerability, which was classified as critical, has been found in Tenda O3V2 1.0.0.12(3880). This issue affects the function fromTraceroutGet of the file /goform/getTraceroute of the component httpd. The manipulation of the argument dest leads to command injection. The attack…
more
may be initiated remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in the httpd /goform/getTraceroute endpoint enables remote arbitrary command execution on the router via the 'dest' parameter, facilitating exploitation of public-facing web applications, remote services, network device CLI, and indirect command execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents command injection by validating the 'dest' argument in the /goform/getTraceroute endpoint to ensure only legitimate traceroute destinations like IP addresses are accepted.
Ensures timely identification, reporting, and patching of the specific command injection flaw in the fromTraceroutGet function of the Tenda O3V2 httpd component.
Enforces restrictions on the 'dest' parameter such as length, type, and patterns to block command injection payloads at the application boundary.