CVE-2025-15371
Unknown Unknown - Not Provided
Hardcoded Credentials in Tenda Shadow File Component (Local Attack

Publication date: 2025-12-31

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in Tenda i24, 4G03 Pro, 4G05, 4G08, G0-8G-PoE, Nova MW5G and TEG5328F up to 65.10.15.6. Affected is an unknown function of the component Shadow File. Such manipulation with the input Fireitup leads to hard-coded credentials. An attack has to be approached locally. The exploit has been disclosed to the public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-31
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-31
EPSS Evaluated
2026-06-14
NVD
CVE-2025-15371
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
tenda 4g03prov1.0re V04.03.01.49
tenda mw5gv1.0re V1.0.0.35
tenda 4g08v1.0re V04.08.01.28
tenda teg5328fv1.0ma V65.10.15.6
tenda i24v3.0 V3.0.0.8
tenda 4g05v1.0re V04.05.01.15
tenda g0-8g-poev2.0si V16.01.8.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-259 The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-15371 is a hard-coded password vulnerability affecting multiple Tenda router models. The flaw exists in the device's shadow or passwd files, where embedded hard-coded root credentials are present. By supplying a specific input (such as "Fireitup"), an attacker with local access can trigger the use of these credentials to gain unauthorized root-level access. Exploiting this vulnerability requires local access and a sophisticated attack method, but a public Proof of Concept (PoC) has been released, increasing the risk of weaponization. [1, 2, 3, 4, 5, 7, 8, 9]

Impact Analysis

This vulnerability allows an attacker with local access to gain root-level control over affected Tenda devices by exploiting hard-coded credentials. This compromises the confidentiality, integrity, and availability of the device, potentially allowing unauthorized access, manipulation of device settings, interception of data, or disruption of network services. Since root access is obtained, the attacker can fully control the device, which poses a significant security risk. [1, 2, 3, 4]

Detection Guidance

Detection of this vulnerability involves checking for the presence of hard-coded credentials in the /etc/shadow or /etc_ro/shadow files on affected Tenda devices. Since exploitation requires local access, you can inspect these files for suspicious entries or known hardcoded passwords triggered by the input 'Fireitup'. Commands such as 'cat /etc/shadow' or 'cat /etc_ro/shadow' on the device can reveal these entries. Additionally, monitoring for unauthorized root logins or attempts to use the specific input 'Fireitup' may help detect exploitation attempts. However, no specific detection commands or automated detection tools are provided in the resources. [1, 3, 8]

Mitigation Strategies

Immediate mitigation steps include restricting local access to the affected devices to prevent exploitation, as the attack requires local access and sophisticated execution. Since no known countermeasures or patches currently exist, replacement of the affected devices is suggested. Monitoring for suspicious activity and disabling unnecessary local access interfaces may also reduce risk. Applying firmware updates if available or consulting the vendor for patches is recommended once they are released. [4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15371. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart