ByteOS Network

CVE Vulnerability Details :

CVE-2025-15371

PUBLISHED

More Info Official Page

Assigner-VulDB

Assigner Org ID-1af790b2-7ee1-4545-860a-a788eba489b5

Published At-31 Dec, 2025 | 01:02

Updated At-02 Jan, 2026 | 14:38

▼CVE Numbering Authority (CNA)

Tenda i24 Shadow File hard-coded credentials

A vulnerability has been found in Tenda i24, 4G03 Pro, 4G05, 4G08, G0-8G-PoE, Nova MW5G and TEG5328F up to 65.10.15.6. Affected is an unknown function of the component Shadow File. Such manipulation with the input Fireitup leads to hard-coded credentials. An attack has to be approached locally. The exploit has been disclosed to the public and may be used.

Affected Products

Vendor

Tenda Technology Co., Ltd.

Product

i24

Modules

Shadow File

Versions

Affected

1.0.0.35
3.0.0.8(4008)
04.03.01.49
04.05.01.15
04.08.01.28
16.01.8.5
65.10.15.6

Vendor

Tenda Technology Co., Ltd.

Product

4G03 Pro

Modules

Shadow File

Versions

Affected

1.0.0.35
3.0.0.8(4008)
04.03.01.49
04.05.01.15
04.08.01.28
16.01.8.5
65.10.15.6

Vendor

Tenda Technology Co., Ltd.

Product

4G05

Modules

Shadow File

Versions

Affected

1.0.0.35
3.0.0.8(4008)
04.03.01.49
04.05.01.15
04.08.01.28
16.01.8.5
65.10.15.6

Vendor

Tenda Technology Co., Ltd.

Product

4G08

Modules

Shadow File

Versions

Affected

1.0.0.35
3.0.0.8(4008)
04.03.01.49
04.05.01.15
04.08.01.28
16.01.8.5
65.10.15.6

Vendor

Tenda Technology Co., Ltd.

Product

G0-8G-PoE

Modules

Shadow File

Versions

Affected

1.0.0.35
3.0.0.8(4008)
04.03.01.49
04.05.01.15
04.08.01.28
16.01.8.5
65.10.15.6

Vendor

Tenda Technology Co., Ltd.

Product

Nova MW5G

Modules

Shadow File

Versions

Affected

1.0.0.35
3.0.0.8(4008)
04.03.01.49
04.05.01.15
04.08.01.28
16.01.8.5
65.10.15.6

Vendor

Tenda Technology Co., Ltd.

Product

TEG5328F

Modules

Shadow File

Versions

Affected

1.0.0.35
3.0.0.8(4008)
04.03.01.49
04.05.01.15
04.08.01.28
16.01.8.5
65.10.15.6

Problem Types

Type	CWE ID	Description
CWE	CWE-798	Hard-coded Credentials
CWE	CWE-259	Use of Hard-coded Password

Type: CWE

CWE ID: CWE-798

Description: Hard-coded Credentials

Type: CWE

CWE ID: CWE-259

Description: Use of Hard-coded Password

Metrics

Version	Base score	Base severity	Vector
4.0	8.5	HIGH	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
3.1	7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R
3.0	7.8	HIGH	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R
2.0	6.8	N/A	AV:L/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR

Version: 4.0

Base score: 8.5

Base severity: HIGH

Vector:

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Version: 3.1

Base score: 7.8

Base severity: HIGH

Vector:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R

Version: 3.0

Base score: 7.8

Base severity: HIGH

Vector:

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R

Version: 2.0

Base score: 6.8

Base severity: N/A

Vector:

AV:L/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR

Credits

reporter

vlun-1 (VulDB User)

Timeline

Event	Date
Advisory disclosed	2025-12-30 00:00:00
VulDB entry created	2025-12-30 01:00:00
VulDB entry last update	2025-12-30 19:37:46

Event: Advisory disclosed

Date: 2025-12-30 00:00:00

Event: VulDB entry created

Date: 2025-12-30 01:00:00

Event: VulDB entry last update

Date: 2025-12-30 19:37:46

References

Hyperlink	Resource
https://vuldb.com/?id.339075	vdb-entry technical-description
https://vuldb.com/?ctiid.339075	signature permissions-required
https://vuldb.com/?submit.727155	third-party-advisory
https://vuldb.com/?submit.727283	third-party-advisory
https://vuldb.com/?submit.727284	third-party-advisory
https://vuldb.com/?submit.727285	third-party-advisory
https://vuldb.com/?submit.727302	third-party-advisory
https://vuldb.com/?submit.727305	third-party-advisory
https://vuldb.com/?submit.727306	third-party-advisory
https://github.com/vuln-1/vuln/blob/main/Tenda/i24v3.0_V3.0.0.8/report-1.md	exploit
https://www.tenda.com.cn/	product