cbcvebase.
CVE-2025-15137
published 2025-12-28

CVE-2025-15137: A vulnerability was detected in TRENDnet TEW-800MB 1.0.1.0. Affected by this vulnerability is the function sub_F934 of the file NTPSyncWithHost.cgi. The…

PriorityP274high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
10.35%
95.1th percentile
A vulnerability was detected in TRENDnet TEW-800MB 1.0.1.0. Affected by this vulnerability is the function sub_F934 of the file NTPSyncWithHost.cgi. The manipulation results in command injection. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected

2 ranges
VendorProductVersion rangeFixed in
trendnettew-800mb
trendnettew-800mb_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/NTPSyncWithHost.cgi
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS TrendNet NTPSyncWithHost.cgi Command Injection Attempt (CVE-2025-15137)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/NTPSyncWithHost.cgi|3f|"; startswith; fast_pattern; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,pentagonal-time-3a7.notion.site/TRENDnet-TEW-800MB-NTP-2c7e5dd4c5a580f999adcaff2c31978b; reference:cve,2025-15137; classtype:attempted-admin; sid:2066748; rev:1; metadata:attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_14, cve CVE_2025_15137, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_01_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Detect HTTP GET requests to /NTPSyncWithHost.cgi containing command injection metacharacters (;, newline, backtick, pipe, $) in the query string — encoded or unencoded.
  • The vulnerable function is sub_F934 in NTPSyncWithHost.cgi on TRENDnet TEW-800MB firmware 1.0.1.0; target this CGI endpoint for injection attempts.
  • The exploit is publicly available; prioritize detection on perimeter and internal network segments for plaintext HTTP traffic to networking equipment.
  • ·The Snort/Suricata rule (ET sid:2066748) is scoped to plaintext HTTP only (tls_state plaintext); it will not fire if the device is accessed over HTTPS.
  • ·The PCRE in the rule matches injection metacharacters only up to the first '&' character in the query string; chained parameters separated by '&' before the injection payload may evade the rule.
  • ·The vendor (TRENDnet) did not respond to disclosure; no patch is available for TEW-800MB firmware 1.0.1.0, so detection/blocking is the primary mitigation.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.