CVE-2025-63666 is a severe vulnerability affecting the Tenda AC15 router firmware version 15.03.05.18_multi. The flaw arises from the router issuing an authentication cookie that directly exposes the account password hash to the client side. Additionally, the session identifier used is a short, low-entropy suffix, making it trivial to guess or brute force. This combination allows an attacker with network access or the capability to run malicious JavaScript in a victim's browser to steal the authentication cookie. Once stolen, the attacker can replay the cookie to bypass authentication controls and access protected router resources, potentially including administrative interfaces and network configuration settings. The vulnerability is classified under CWE-284 (Improper Access Control), indicating a failure to properly restrict access to sensitive functions. The CVSS v3.1 base score is 9.8 (critical), reflecting the vulnerability's ease of exploitation (network attack vector, no privileges or user interaction required) and its impact on confidentiality, integrity, and availability. Although no patches or exploits are currently reported, the exposure of password hashes and weak session tokens pose a significant risk of credential compromise and unauthorized network control. This vulnerability could facilitate further attacks such as network traffic interception, device manipulation, or lateral movement within corporate networks.

For European organizations, this vulnerability presents a high risk of unauthorized access to network infrastructure, potentially leading to data breaches, network downtime, and compromise of internal systems. The exposure of password hashes could allow attackers to crack credentials offline, escalating access privileges. The ability to replay stolen cookies without authentication or user interaction increases the attack surface, especially in environments where Tenda AC15 routers are deployed at scale. Critical sectors such as finance, healthcare, government, and telecommunications could face severe operational disruptions and data confidentiality violations. The vulnerability also undermines trust in network security and may lead to regulatory non-compliance under GDPR if personal data is exposed or compromised. Given the lack of patches, organizations must assume the vulnerability is exploitable and prioritize mitigation to prevent potential exploitation.

1. Immediately isolate Tenda AC15 routers from untrusted networks and restrict management interfaces to trusted internal networks only. 2. Disable remote management features and any unnecessary services on the affected routers to reduce exposure. 3. Implement network segmentation to limit attacker movement if a device is compromised. 4. Deploy web application firewalls or intrusion detection systems to monitor and block suspicious cookie replay or session hijacking attempts. 5. Educate users and administrators about the risks of executing untrusted JavaScript in browsers connected to the network. 6. Regularly audit router configurations and logs for signs of unauthorized access or anomalous activity. 7. Monitor vendor communications for firmware updates or patches and apply them promptly once available. 8. Consider replacing vulnerable devices with models that have a stronger security posture if immediate patching is not feasible.