CVE-2025-15371 is a vulnerability discovered in several Tenda router models, including i24, 4G03 Pro, 4G05, 4G08, G0-8G-PoE, Nova MW5G, and TEG5328F, affecting firmware versions up to 65.10.15.6. The flaw resides in an unspecified function within a component referred to as the Shadow File, where manipulation of input labeled 'Fireitup' leads to the exposure or use of hard-coded credentials embedded in the device firmware. These hard-coded credentials allow an attacker with local access—meaning physical access or access via a local network segment—to bypass normal authentication mechanisms and gain elevated privileges. The vulnerability does not require user interaction and can be exploited with low complexity, but it does require the attacker to have at least limited privileges or local network access. The CVSS 4.0 vector indicates local attack vector (AV:L), low attack complexity (AC:L), no attack target (AT:N), privileges required (PR:L), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (VC:H, VI:H, VA:H). No known exploits are currently observed in the wild, but public disclosure of the exploit code increases the risk of exploitation. The vulnerability affects multiple firmware versions, indicating a broad attack surface across various Tenda devices commonly used in small to medium business and home environments. The lack of available patches or vendor advisories at this time means that mitigation must rely on network-level controls and operational security measures until firmware updates are released.

The vulnerability allows attackers with local access to bypass authentication using hard-coded credentials, potentially gaining administrative control over affected Tenda devices. This can lead to unauthorized configuration changes, interception or redirection of network traffic, deployment of malware, or denial of service. For European organizations, especially those relying on Tenda devices for critical network infrastructure or remote connectivity, this could result in significant confidentiality breaches, data integrity violations, and network availability disruptions. The impact is heightened in environments where physical security is limited or where attackers can gain access to local network segments, such as in shared office spaces or multi-tenant buildings. Compromise of these devices could also serve as a foothold for lateral movement within corporate networks, increasing the risk of broader compromise. The absence of patches and the public availability of exploit details further increase the urgency to address this vulnerability proactively.

1. Immediately restrict physical and local network access to affected Tenda devices to trusted personnel only. 2. Segment networks to isolate vulnerable devices from critical infrastructure and sensitive data environments. 3. Implement strong network access controls, including MAC address filtering and 802.1X authentication where possible, to limit unauthorized local access. 4. Monitor network traffic for unusual activity indicative of exploitation attempts, such as unexpected administrative logins or configuration changes. 5. Disable remote management interfaces on affected devices if enabled, to reduce attack surface. 6. Maintain an inventory of all Tenda devices and their firmware versions to identify and prioritize vulnerable units. 7. Engage with Tenda support channels to obtain firmware updates or official patches as they become available. 8. Consider replacing affected devices with models from vendors with a stronger security track record if patches are delayed. 9. Educate staff about the risks of local network attacks and enforce strict physical security policies around network equipment. 10. Use network intrusion detection/prevention systems to detect exploitation attempts targeting these devices.