CVE-2025-5864 is a medium-severity vulnerability affecting the Tenda TDSEE App versions up to 1.7.12. The vulnerability resides in the Password Reset Confirmation Code Handler, specifically in the /app/ConfirmSmsCode functionality. It involves improper restriction of excessive authentication attempts, meaning the application does not adequately limit the number of times an attacker can attempt to authenticate using confirmation codes during password reset processes. This flaw allows a remote attacker to repeatedly try authentication attempts without being blocked or throttled effectively. Although the attack complexity is considered high and exploitation is difficult, the vulnerability is remotely exploitable without requiring authentication or user interaction. The CVSS 4.0 base score is 6.3, reflecting a medium impact primarily due to the potential for limited confidentiality compromise (low vector impact on confidentiality), no impact on integrity or availability, and the high attack complexity. The vulnerability was publicly disclosed on June 9, 2025, and a fixed version 1.7.15 of the TDSEE App has been released to address this issue. No known exploits are currently observed in the wild. The vulnerability could be leveraged in brute force or enumeration attacks against password reset mechanisms, potentially allowing attackers to gain unauthorized access to user accounts if combined with other weaknesses or social engineering. However, the high complexity and lack of direct integrity or availability impact limit the immediate risk severity.

For European organizations using Tenda TDSEE App, this vulnerability poses a moderate risk primarily to user account security and confidentiality. The improper restriction of authentication attempts could enable attackers to perform brute force or enumeration attacks on password reset confirmation codes, potentially leading to unauthorized account access. This could result in exposure of sensitive user data or unauthorized control over network devices managed via the app, especially if the app is used for managing routers or IoT devices. While the direct impact on system integrity and availability is minimal, compromised accounts could be leveraged for further attacks or lateral movement within organizational networks. The medium severity and high attack complexity reduce the likelihood of widespread exploitation, but organizations with high reliance on Tenda devices or apps for network management should be vigilant. Additionally, the remote exploitability without user interaction increases the attack surface. The impact is more pronounced in sectors with critical infrastructure or sensitive data, such as telecommunications, government, and enterprises using Tenda networking equipment.

European organizations should immediately upgrade the Tenda TDSEE App to version 1.7.15 or later to remediate this vulnerability. Beyond patching, organizations should implement multi-factor authentication (MFA) for account access to reduce the risk of unauthorized access even if password reset mechanisms are targeted. Monitoring and alerting on unusual password reset activity or repeated authentication attempts can help detect exploitation attempts early. Network segmentation should be enforced to limit the exposure of devices managed by the app. Additionally, organizations should review and tighten password reset policies, including rate limiting and CAPTCHA integration, to prevent automated brute force attacks. User education about phishing and social engineering risks related to password resets can further reduce risk. Finally, maintaining an inventory of all Tenda devices and apps in use will help prioritize patch deployment and risk assessment.