CVE-2025-15371
Hardcoded Credentials in Tenda Shadow File Component (Local Attack
Publication date: 2025-12-31
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | 4g03prov1.0re | V04.03.01.49 |
| tenda | mw5gv1.0re | V1.0.0.35 |
| tenda | 4g08v1.0re | V04.08.01.28 |
| tenda | teg5328fv1.0ma | V65.10.15.6 |
| tenda | i24v3.0 | V3.0.0.8 |
| tenda | 4g05v1.0re | V04.05.01.15 |
| tenda | g0-8g-poev2.0si | V16.01.8.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-259 | The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. |
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting local access to the affected devices to prevent exploitation, as the attack requires local access and sophisticated execution. Since no known countermeasures or patches currently exist, replacement of the affected devices is suggested. Monitoring for suspicious activity and disabling unnecessary local access interfaces may also reduce risk. Applying firmware updates if available or consulting the vendor for patches is recommended once they are released. [4]
Can you explain this vulnerability to me?
CVE-2025-15371 is a hard-coded password vulnerability affecting multiple Tenda router models. The flaw exists in the device's shadow or passwd files, where embedded hard-coded root credentials are present. By supplying a specific input (such as "Fireitup"), an attacker with local access can trigger the use of these credentials to gain unauthorized root-level access. Exploiting this vulnerability requires local access and a sophisticated attack method, but a public Proof of Concept (PoC) has been released, increasing the risk of weaponization. [1, 2, 3, 4, 5, 7, 8, 9]
How can this vulnerability impact me? :
This vulnerability allows an attacker with local access to gain root-level control over affected Tenda devices by exploiting hard-coded credentials. This compromises the confidentiality, integrity, and availability of the device, potentially allowing unauthorized access, manipulation of device settings, interception of data, or disruption of network services. Since root access is obtained, the attacker can fully control the device, which poses a significant security risk. [1, 2, 3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking for the presence of hard-coded credentials in the /etc/shadow or /etc_ro/shadow files on affected Tenda devices. Since exploitation requires local access, you can inspect these files for suspicious entries or known hardcoded passwords triggered by the input 'Fireitup'. Commands such as 'cat /etc/shadow' or 'cat /etc_ro/shadow' on the device can reveal these entries. Additionally, monitoring for unauthorized root logins or attempts to use the specific input 'Fireitup' may help detect exploitation attempts. However, no specific detection commands or automated detection tools are provided in the resources. [1, 3, 8]