Cyber Resilience

CVE-2025-7415

LowPublic PoC

Published: 10 July 2025

Published
10 July 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0531 90.2th percentile
Risk Priority 7 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7415 is a low-severity Injection (CWE-74) vulnerability in Tenda O3 Firmware. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A command injection vulnerability exists in Tenda O3V2 firmware version 1.0.0.12(3880) in the fromTraceroutGet function of the /goform/getTraceroute endpoint within the httpd component. The flaw, tracked as CVE-2025-7415 and mapped to CWE-74 and CWE-77, results from insufficient sanitization of the dest argument and carries a CVSS 4.0 score of 2.1 reflecting the need for a low-privileged account.

An authenticated remote attacker can supply a malicious dest value to the affected endpoint and execute arbitrary operating-system commands on the device. Public proof-of-concept code has been released that demonstrates the injection.

The referenced disclosures on GitHub and Vuldb provide technical details and exploit artifacts but contain no information on vendor patches or mitigation steps. The associated EPSS score has remained flat at 0.0531 with no observed increase after publication.

EU & UK References

Vulnerability details

A vulnerability, which was classified as critical, has been found in Tenda O3V2 1.0.0.12(3880). This issue affects the function fromTraceroutGet of the file /goform/getTraceroute of the component httpd. The manipulation of the argument dest leads to command injection. The attack…

more

may be initiated remotely. The exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Why these techniques?

Command injection in the httpd /goform/getTraceroute endpoint enables remote arbitrary command execution on the router via the 'dest' parameter, facilitating exploitation of public-facing web applications, remote services, network device CLI, and indirect command execution.

CVEs Like This One

CVE-2025-7414Same product: Tenda O3
CVE-2025-7416Same product: Tenda O3
CVE-2025-7417Same product: Tenda O3
CVE-2025-7418Same product: Tenda O3
CVE-2025-7422Same product: Tenda O3
CVE-2025-7419Same product: Tenda O3
CVE-2025-55613Same product: Tenda O3
CVE-2025-7423Same product: Tenda O3
CVE-2025-7421Same product: Tenda O3
CVE-2025-7420Same product: Tenda O3

Affected Assets

tenda
o3 firmware
1.0.0.12\(3880\)

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection by validating the 'dest' argument in the /goform/getTraceroute endpoint to ensure only legitimate traceroute destinations like IP addresses are accepted.

prevent

Ensures timely identification, reporting, and patching of the specific command injection flaw in the fromTraceroutGet function of the Tenda O3V2 httpd component.

prevent

Enforces restrictions on the 'dest' parameter such as length, type, and patterns to block command injection payloads at the application boundary.

References