cbcvebase.
CVE-2025-15471
published 2026-01-07

CVE-2025-15471: A vulnerability was detected in TRENDnet TEW-713RE 1.02. The impacted element is an unknown function of the file /goformX/formFSrvX. The manipulation of the…

PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
12.11%
95.6th percentile
A vulnerability was detected in TRENDnet TEW-713RE 1.02. The impacted element is an unknown function of the file /goformX/formFSrvX. The manipulation of the argument SZCMD results in os command injection. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor confirms: "The product in question TEW-731RE for CVE-2025-15471 has been discontinued and end of life since October 23, 2020. We no longer provide support for this product, so we are not able to confirm the vulnerabilities. We will make an announcement on the website product support page and notify customers who registered their products with us." This vulnerability only affects products that are no longer supported by the maintainer.

Affected

2 ranges
VendorProductVersion rangeFixed in
trendnettew-713re
trendnettew-713re_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/goformX/formFSrvX
path/uapply.cgi
urlhttps://pentagonal-time-3a7.notion.site/Command-Injection-Vulnerability-in-formFSrvX-of-Trendnet-TEW-713RE-2d1e5dd4c5a5801481abe7a944763d39
urlhttps://pentagonal-time-3a7.notion.site/TrendNet-TEW-811DRU-2d2e5dd4c5a58016a612e99853b835f8
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS TrendNet formFSrvX SZCMD Parameter Command Injection Attempt (CVE-2025-15471)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/goformX/formFSrvX|3f|"; startswith; fast_pattern; content:"OP=Reboot"; content:"SZCMD|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,pentagonal-time-3a7.notion.site/Command-Injection-Vulnerability-in-formFSrvX-of-Trendnet-TEW-713RE-2d1e5dd4c5a5801481abe7a944763d39; reference:cve,2025-15471; classtype:attempted-admin; sid:2066752; rev:1;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS TrendNet uapply.cgi DeviceURL Parameter Command Injection Attempt (CVE-2025-15471)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:11; content:"/uapply.cgi"; fast_pattern; http.request_body; content:"|22|apply_do|22|"; content:"|22|setDeviceURL|22|"; within:20; content:"|22|DeviceURL|22|"; content:"|22|DeviceURL|22|"; pcre:"/^(?:\x3a(?:\x20\x22|\x22))?[^\x2c\x7d$]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,pentagonal-time-3a7.notion.site/TrendNet-TEW-811DRU-2d2e5dd4c5a58016a612e99853b835f8; reference:cve,2025-15471; classtype:attempted-admin; sid:2066608; rev:1;)
  • Exploit targets GET requests to /goformX/formFSrvX with parameters OP=Reboot and SZCMD containing shell metacharacters (;, newline, backtick, pipe, $) for OS command injection.
  • A second injection vector targets POST requests to /uapply.cgi with JSON body containing apply_do, setDeviceURL, and DeviceURL fields with shell metacharacters.
  • The attack is launched remotely over plaintext HTTP (tls_state: plaintext), targeting the device on the internal/perimeter network ($HOME_NET).
  • Shell injection characters to look for in SZCMD parameter (URL-encoded or raw): semicolon (%3B/;), newline (%0A/\n), backtick (%60/`), pipe (%7C/|), dollar sign (%24/$).
  • ·The affected device (TRENDnet TEW-713RE v1.02) is end-of-life as of October 23, 2020. No patch will be issued by the vendor; detection/network-level mitigation is the only available control.
  • ·The Snort rule sid:2066608 references CVE-2024-0918 in its metadata despite being attributed to CVE-2025-15471 in the rule message and reference fields — verify applicability before deploying.
  • ·The exploit is publicly available; treat any TRENDnet TEW-713RE device exposed to the network as immediately at risk.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.9HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.