cbcvebase.
CVE-2025-15139
published 2025-12-28

CVE-2025-15139: A vulnerability has been found in TRENDnet TEW-822DRE 1.00B21/1.01B06. This affects the function sub_43ACF4 of the file /boafrm/formWsc. Such manipulation of…

PriorityP278high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
11.77%
95.6th percentile
A vulnerability has been found in TRENDnet TEW-822DRE 1.00B21/1.01B06. This affects the function sub_43ACF4 of the file /boafrm/formWsc. Such manipulation of the argument peerPin leads to command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected

4 ranges
VendorProductVersion rangeFixed in
trendnettew-822dre
trendnettew-822dre
trendnettew-822dre_firmware
trendnettew-822dre_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/boafrm/formWsc
urlhttps://pentagonal-time-3a7.notion.site/TRENDnet-TEW-822DRE-Command-Injection-2c9e5dd4c5a580f190e9c411ad627e9a
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS TrendNet formWsc peerPin Parameter Command Injection Attempt (CVE-2025-15139)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:15; content:"/boafrm/formWsc"; http.request_body; content:"wizard_wps_ap.htm"; fast_pattern; content:"peerPin|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,pentagonal-time-3a7.notion.site/TRENDnet-TEW-822DRE-Command-Injection-2c9e5dd4c5a580f190e9c411ad627e9a; reference:cve,2025-15139; classtype:attempted-admin; sid:2066750; rev:1;)
  • Target HTTP POST requests to the exact URI /boafrm/formWsc (URI byte-size is exactly 15 characters).
  • Request body must contain the string 'wizard_wps_ap.htm', used as a fast-pattern anchor to identify WPS configuration submissions.
  • After the 'peerPin=' parameter (URL-encoded as peerPin%3d), look for shell metacharacters injected into the value: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24).
  • The vulnerable function is sub_43ACF4 in the /boafrm/formWsc handler; the injection point is the 'peerPin' argument passed to that function.
  • Traffic is expected in plaintext (TLS state: plaintext); deploy detection at the network perimeter and internally.
  • ·The Snort/Suricata rule (SID 2066750) uses a PCRE anchored relative to the 'peerPin=' field; ensure your IDS/IPS engine supports the '/R' (relative PCRE) modifier for accurate matching.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.