CVE-2025-15215

HIGH

Tenda Ac10u Firmware - Memory Corruption

Title source: rule

Description

A vulnerability was determined in Tenda AC10U 15.03.06.48/15.03.06.49. This affects the function formSetPPTPUserList of the file /goform/setPptpUserList of the component HTTP POST Request Handler. This manipulation of the argument list causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.

References (5)

[VDB Entry] https://vuldb.com/?id.338600

[VDB Entry] https://vuldb.com/?ctiid.338600

[VDB Entry] https://vuldb.com/?submit.725365

[Exploit, Third Party Advisory] https://www.notion.so/Tenda-AC10U-setPptpUserList-2d753a41781f80e8ba6bc37ba6100343?pvs=73

[Product] https://www.tenda.com.cn/

Scores

CVSS v3 8.8

EPSS 0.0008

EPSS Percentile 24.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-120 CWE-119

Status published

Products (2)

tenda/ac10u_firmware 15.03.06.48

tenda/ac10u_firmware 15.03.06.49

Published Dec 30, 2025

Tracked Since Feb 18, 2026