CVE-2025-63666 is a security vulnerability identified in the Tenda AC15 router firmware version 15.03.05.18_multi. The issue arises because the router issues an authentication cookie that inadvertently exposes the account password hash to the client side. This exposure is a critical flaw as it leaks sensitive credential information directly to the user’s browser environment. Additionally, the session identifier used by the router is composed of a short, low-entropy suffix, which significantly weakens the security of session management. This weak session token can be easily guessed or brute-forced by an attacker. The combined effect of these weaknesses allows an adversary who has network access or can execute JavaScript in the victim’s browser (e.g., via cross-site scripting or malicious web content) to steal the authentication cookie. Once stolen, the attacker can replay the cookie to gain unauthorized access to protected resources on the router’s management interface or connected network services. This vulnerability compromises the confidentiality of user credentials and the integrity of session management, potentially leading to unauthorized administrative access. Although no known exploits are currently reported in the wild and no official patches have been published, the vulnerability is publicly disclosed and should be treated with urgency. The lack of a CVSS score indicates that severity assessment must be based on the nature of the flaw and its potential impact. The vulnerability affects the router’s authentication mechanism, which is a critical security component, and the ease of exploitation is moderate given the requirement for network access or JavaScript execution capabilities.

For European organizations, the impact of CVE-2025-63666 can be significant, especially for those relying on Tenda AC15 routers in their network infrastructure. Unauthorized access to router management interfaces can lead to network configuration changes, interception of network traffic, and potential lateral movement within the network. Confidentiality is compromised due to exposure of password hashes, which could be further cracked offline. Integrity is at risk as attackers can manipulate router settings or inject malicious configurations. Availability could also be affected if attackers disrupt network services or lock out legitimate administrators. Organizations with remote or poorly segmented networks are particularly vulnerable. The threat is heightened in environments where users frequently access router management interfaces via browsers, increasing the risk of JavaScript-based attacks. European enterprises in sectors such as telecommunications, small and medium enterprises, and critical infrastructure that deploy Tenda routers are at risk of espionage, data breaches, and operational disruption. The absence of patches increases the window of exposure, necessitating immediate mitigation efforts.

1. Immediately isolate Tenda AC15 routers running the vulnerable firmware version from untrusted networks and restrict management interface access to trusted administrators only. 2. Implement network segmentation to limit exposure of router management interfaces to internal networks and trusted hosts. 3. Deploy web application firewalls or browser security controls to prevent execution of unauthorized JavaScript that could steal cookies. 4. Monitor network traffic for unusual session replay attempts or unauthorized access patterns to router interfaces. 5. Encourage users to avoid accessing router management interfaces from untrusted or public networks. 6. Regularly audit router firmware versions and configurations to identify vulnerable devices. 7. Contact Tenda support for firmware updates or security advisories and apply patches as soon as they become available. 8. Use multi-factor authentication for router management access if supported to reduce risk of session hijacking. 9. Educate users and administrators about phishing and cross-site scripting risks that could facilitate JavaScript injection attacks. 10. Consider replacing vulnerable routers with models that have stronger authentication and session management controls if patches are delayed.