cbcvebase.
CVE-2025-15136
published 2025-12-28

CVE-2025-15136: A security vulnerability has been detected in TRENDnet TEW-800MB 1.0.1.0. Affected is the function do_setWizard_asp of the file /goform/wizardset of the…

PriorityP278high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
9.75%
94.9th percentile
A security vulnerability has been detected in TRENDnet TEW-800MB 1.0.1.0. Affected is the function do_setWizard_asp of the file /goform/wizardset of the component Management Interface. The manipulation of the argument WizardConfigured leads to command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected

5 ranges
VendorProductVersion rangeFixed in
msrccbl2_etcd_3.5.0-3_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
trendnettew-800mb
trendnettew-800mb_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/goform/wizardset
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS TrendNet wizardset WizardConfigured Parameter Command Injection Attempt (CVE-2025-15136)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:17; content:"/goform/wizardset"; fast_pattern; http.request_body; content:"WizardConfigured|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,pentagonal-time-3a7.notion.site/TRENDnet-TEW-800MB-2c7e5dd4c5a58067bc81e530bf3191c0; reference:cve,2025-15136; classtype:attempted-admin; sid:2066747; rev:1; metadata:affected_product TrendNet, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_14, cve CVE_2025_15136, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_01_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Target POST requests to the exact URI /goform/wizardset (bsize:17) on the management interface of TRENDnet TEW-800MB devices.
  • Inspect the HTTP request body for the parameter name 'WizardConfigured=' (URL-encoded '3d' for '=') followed by shell metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24) — any of which indicate command injection.
  • The exploit is delivered over plaintext HTTP (not TLS); perimeter and internal network inspection points are both relevant deployment locations.
  • The vulnerable function is do_setWizard_asp within the file /goform/wizardset; the injection point is the WizardConfigured argument.
  • The attack can be initiated remotely and a public exploit has been disclosed; treat any external access to /goform/wizardset as high-severity.
  • ·The Snort/Suricata rule (ET sid:2066747) targets plaintext HTTP only; if the management interface is ever exposed over HTTPS, this rule will not fire and TLS inspection would be required.
  • ·The URI match uses an exact byte-size constraint (bsize:17); any URL encoding or path variation of /goform/wizardset that changes the byte length would evade this specific rule.
  • ·The vendor did not respond to early disclosure; no patch is confirmed available, so network-level blocking of access to /goform/wizardset is the primary mitigation.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vendor_msrc6.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.