CVE-2025-15136
Command Injection in TRENDnet TEW-800MB Management Interface
Publication date: 2025-12-28
Last updated on: 2025-12-28
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| trendnet | tew-800mb | 1.0.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the TRENDnet TEW-800MB device, specifically in the do_setWizard_asp function of the /goform/wizardset component in the Management Interface. It involves manipulation of the WizardConfigured argument, which leads to command injection. This means an attacker can remotely execute arbitrary commands on the device by exploiting this flaw.
How can this vulnerability impact me? :
The vulnerability allows remote attackers to execute arbitrary commands on the affected device, potentially leading to unauthorized control, data compromise, disruption of services, or further attacks within the network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can be performed by monitoring network traffic for requests to the vulnerable endpoint `/goform/wizardset` with suspicious or unusual parameters related to `WizardConfigured`. Since the vulnerability involves command injection via this parameter, inspecting HTTP POST requests to this endpoint for unexpected or malformed input may indicate exploitation attempts. Additionally, checking for authentication attempts or usage of default credentials on the management interface could help identify potential attackers. Specific commands to detect exploitation attempts might include using tools like curl or wget to test the endpoint, or network monitoring tools to filter traffic. For example, using curl to send a crafted request to test for command injection: `curl -X POST http://<device-ip>/goform/wizardset -d 'WizardConfigured=;id'` and observing the response for command execution output. Network IDS/IPS rules can also be created to alert on such patterns. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the management interface to trusted networks only, disabling remote management if possible, and changing default credentials to strong, unique passwords to prevent unauthorized access. Since no vendor patch or official fix is available and the vendor has not responded, it is recommended to replace the affected TRENDnet TEW-800MB device with a secure alternative. Monitoring for exploitation attempts and isolating vulnerable devices from untrusted networks can also reduce risk. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability impacts the confidentiality, integrity, and availability of the affected device, which could lead to non-compliance with standards and regulations such as GDPR and HIPAA that require protection of sensitive data and system integrity. However, no specific details on compliance impact or regulatory consequences are provided. [1]