CVE-2025-15136 identifies a critical command injection vulnerability in the TRENDnet TEW-800MB router firmware version 1.0.1.0. The vulnerability resides in the do_setWizard_asp function of the /goform/wizardset endpoint, part of the device's management interface. Specifically, the WizardConfigured parameter is improperly sanitized, allowing an attacker to inject arbitrary OS commands. Since the management interface is accessible remotely and the vulnerability requires no authentication or user interaction, an attacker can exploit this flaw over the network to execute commands with elevated privileges on the device. This can lead to full device compromise, enabling attackers to manipulate network traffic, install malware, or pivot into internal networks. The vendor was contacted prior to public disclosure but did not respond or provide a patch, increasing the risk of exploitation. Although no known exploits in the wild have been reported yet, public exploit code is available, raising the likelihood of imminent attacks. The vulnerability has been assigned a CVSS 4.0 base score of 8.7, reflecting its high impact on confidentiality, integrity, and availability, combined with low attack complexity and no required privileges or user interaction.

The impact of CVE-2025-15136 is significant for organizations using the TRENDnet TEW-800MB router, as successful exploitation allows remote attackers to execute arbitrary commands with elevated privileges. This can lead to complete device takeover, enabling attackers to intercept or manipulate network traffic, disrupt network availability, exfiltrate sensitive information, or establish persistent footholds within corporate or home networks. Given the device’s role as a network gateway, compromise could facilitate lateral movement to other critical systems. The lack of vendor response and patch availability increases the risk of exploitation and potential widespread attacks. Organizations relying on this hardware for network connectivity or security should consider the vulnerability a critical operational risk, especially in environments with sensitive data or critical infrastructure. The vulnerability also undermines trust in the device’s management interface, potentially exposing administrative credentials or configurations.

Since no official patch or firmware update is available from TRENDnet, organizations should implement immediate compensating controls. These include restricting access to the management interface by limiting it to trusted internal networks or VPNs, disabling remote management if not required, and monitoring network traffic for suspicious activity targeting the /goform/wizardset endpoint. Network segmentation should be enforced to isolate vulnerable devices from critical systems. Employing intrusion detection/prevention systems (IDS/IPS) with signatures for command injection attempts can help detect exploitation attempts. Regularly auditing device configurations and logs for anomalies is recommended. If possible, consider replacing the affected hardware with devices from vendors with active security support. Organizations should also stay alert for vendor updates or community patches and apply them promptly once available.