Vulnerability-Lookup

CNVD-2026-14682

Vulnerability from cnvd - Published: 2026-03-24

Title

TRENDnet TEW-800MB命令注入漏洞

Description

TRENDnet TEW-800MB是美国趋势网络（TRENDnet）公司的一款双频无线路由器。 TRENDnet TEW-800MB存在命令注入漏洞，该漏洞源于文件/goform/wizardset中参数WizardConfigured的错误操作，攻击者可利用该漏洞执行任意命令。

Severity

高

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://pentagonal-time-3a7.notion.site/TRENDnet-TEW-800MB-2c7e5dd4c5a58067bc81e530bf3191c0

Reference

https://nvd.nist.gov/vuln/detail/CVE-2025-15136

Impacted products

Name
TRENDnet TEW-800MB 1.0.1.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-15136",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-15136"
    }
  },
  "description": "TRENDnet TEW-800MB\u662f\u7f8e\u56fd\u8d8b\u52bf\u7f51\u7edc\uff08TRENDnet\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u53cc\u9891\u65e0\u7ebf\u8def\u7531\u5668\u3002 \n\nTRENDnet TEW-800MB\u5b58\u5728\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u6587\u4ef6/goform/wizardset\u4e2d\u53c2\u6570WizardConfigured\u7684\u9519\u8bef\u64cd\u4f5c\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://pentagonal-time-3a7.notion.site/TRENDnet-TEW-800MB-2c7e5dd4c5a58067bc81e530bf3191c0",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2026-14682",
  "openTime": "2026-03-24",
  "products": {
    "product": "TRENDnet TEW-800MB 1.0.1.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2025-15136",
  "serverity": "\u9ad8",
  "submitTime": "2026-01-12",
  "title": "TRENDnet TEW-800MB\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2025-15136 (GCVE-0-2025-15136)

Vulnerability from cvelistv5 – Published: 2025-12-28 12:32 – Updated: 2026-02-24 06:06

Title

TRENDnet TEW-800MB Management wizardset do_setWizard_asp command injection

Summary

A security vulnerability has been detected in TRENDnet TEW-800MB 1.0.1.0. Affected is the function do_setWizard_asp of the file /goform/wizardset of the component Management Interface. The manipulation of the argument WizardConfigured leads to command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Severity ?

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R

8.8 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R

CWE

CWE-77 - Command Injection
CWE-74 - Injection

Assigner

VulDB

References

URL

Tags

	https://vuldb.com/?id.338514	vdb-entrytechnical-description
	https://vuldb.com/?ctiid.338514	signaturepermissions-required
	https://vuldb.com/?submit.714042	third-party-advisory
	https://pentagonal-time-3a7.notion.site/TRENDnet-…	exploit

Impacted products

	Vendor	Product	Version
	TRENDnet	TEW-800MB	Affected: 1.0.1.0 cpe:2.3:o:trendnet:tew-800mb_firmware::::::::

Credits

Zephyr369 (VulDB User) VulDB

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-15136",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-29T17:20:20.515610Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-29T17:20:27.000Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:o:trendnet:tew-800mb_firmware:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Management Interface"
          ],
          "product": "TEW-800MB",
          "vendor": "TRENDnet",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.1.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Zephyr369 (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A security vulnerability has been detected in TRENDnet TEW-800MB 1.0.1.0. Affected is the function do_setWizard_asp of the file /goform/wizardset of the component Management Interface. The manipulation of the argument WizardConfigured leads to command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 9,
            "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "Command Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-24T06:06:34.391Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-338514 | TRENDnet TEW-800MB Management wizardset do_setWizard_asp command injection",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.338514"
        },
        {
          "name": "VDB-338514 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.338514"
        },
        {
          "name": "Submit #714042 | TRENDnet TEW-800mb v1.0.1.0 Command Injection",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.714042"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://pentagonal-time-3a7.notion.site/TRENDnet-TEW-800MB-2c7e5dd4c5a58067bc81e530bf3191c0"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-12-27T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-12-27T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-12-28T15:13:26.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "TRENDnet TEW-800MB Management wizardset do_setWizard_asp command injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-15136",
    "datePublished": "2025-12-28T12:32:06.349Z",
    "dateReserved": "2025-12-27T10:01:53.476Z",
    "dateUpdated": "2026-02-24T06:06:34.391Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2026-14682

CVE-2025-15136 (GCVE-0-2025-15136)

Tags

Sightings

Nomenclature