CVE-2025-15136
published 2025-12-28CVE-2025-15136: A security vulnerability has been detected in TRENDnet TEW-800MB 1.0.1.0. Affected is the function do_setWizard_asp of the file /goform/wizardset of the…
PriorityP278high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
9.75%
94.9th percentile
A security vulnerability has been detected in TRENDnet TEW-800MB 1.0.1.0. Affected is the function do_setWizard_asp of the file /goform/wizardset of the component Management Interface. The manipulation of the argument WizardConfigured leads to command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | cbl2_etcd_3.5.0-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| trendnet | tew-800mb | — | — |
| trendnet | tew-800mb_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS TrendNet wizardset WizardConfigured Parameter Command Injection Attempt (CVE-2025-15136)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:17; content:"/goform/wizardset"; fast_pattern; http.request_body; content:"WizardConfigured|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,pentagonal-time-3a7.notion.site/TRENDnet-TEW-800MB-2c7e5dd4c5a58067bc81e530bf3191c0; reference:cve,2025-15136; classtype:attempted-admin; sid:2066747; rev:1; metadata:affected_product TrendNet, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_14, cve CVE_2025_15136, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_01_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Target POST requests to the exact URI /goform/wizardset (bsize:17) on the management interface of TRENDnet TEW-800MB devices.
- →Inspect the HTTP request body for the parameter name 'WizardConfigured=' (URL-encoded '3d' for '=') followed by shell metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24) — any of which indicate command injection.
- →The exploit is delivered over plaintext HTTP (not TLS); perimeter and internal network inspection points are both relevant deployment locations.
- →The vulnerable function is do_setWizard_asp within the file /goform/wizardset; the injection point is the WizardConfigured argument.
- →The attack can be initiated remotely and a public exploit has been disclosed; treat any external access to /goform/wizardset as high-severity.
- ·The Snort/Suricata rule (ET sid:2066747) targets plaintext HTTP only; if the management interface is ever exposed over HTTPS, this rule will not fire and TLS inspection would be required.
- ·The URI match uses an exact byte-size constraint (bsize:17); any URL encoding or path variation of /goform/wizardset that changes the byte length would evade this specific rule.
- ·The vendor did not respond to early disclosure; no patch is confirmed available, so network-level blocking of access to /goform/wizardset is the primary mitigation.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vendor_msrc6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2mpc-f7w9-hpmw: A security vulnerability has been detected in TRENDnet TEW-800MB 1
ghsa_unreviewed·2025-12-28
CVE-2025-15136 [HIGH] CWE-74 GHSA-2mpc-f7w9-hpmw: A security vulnerability has been detected in TRENDnet TEW-800MB 1
A security vulnerability has been detected in TRENDnet TEW-800MB 1.0.1.0. Affected is the function do_setWizard_asp of the file /goform/wizardset of the component Management Interface. The manipulation of the argument WizardConfigured leads to command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Microsoft
Improper authentication in etcd
vendor_msrc·2020-08-11·CVSS 6.5
CVE-2020-15136 [MEDIUM] CWE-306 Improper authentication in etcd
Improper authentication in etcd
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-
Suricata
ET WEB_SPECIFIC_APPS TrendNet wizardset WizardConfigured Parameter Command Injection Attempt (CVE-2025-15136)
suricata·2026-01-14·CVSS 7.4
CVE-2025-15136 [HIGH] ET WEB_SPECIFIC_APPS TrendNet wizardset WizardConfigured Parameter Command Injection Attempt (CVE-2025-15136)
ET WEB_SPECIFIC_APPS TrendNet wizardset WizardConfigured Parameter Command Injection Attempt (CVE-2025-15136)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS TrendNet wizardset WizardConfigured Parameter Command Injection Attempt (CVE-2025-15136)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:17; content:"/goform/wizardset"; fast_pattern; http.request_body; content:"WizardConfigured|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,pentagonal-time-3a7.notion.site/TRENDnet-TEW-800MB-2c7e5dd4c5a58067bc81e530bf3191c0; reference:cve,2025-15136; classtype:attempted-admin; sid:2066747; rev:1; metadata:affected_product TrendNet, attack_target Networking_Equipment, tls_state plai
No public exploits indexed.
No writeups or analysis indexed.
2025-12-28
Published