One Request to Rule Them All: Critical Trendnet Flaw (CVE-2025-15471) Allows Total Takeover
Ddos 
A critical pre-authentication command injection vulnerability has been uncovered in the Trendnet TEW-713RE Wi-Fi extender, allowing remote attackers to seize full control of the device with a single HTTP request. The flaw, tracked as CVE-2025-15471, carries a devastating CVSS score of 9.8, marking it as an urgent threat to any network where this hardware is deployed.
The vulnerability stems from a reckless design choice that exposes a highly dangerous system management interface to the open web without requiring a password.
At the core of the issue is the formFSrvX handler within the device’s firmware. This component is intended for internal operations like rebooting the device or applying settings. However, analysis reveals that it accepts a parameter named SZCMD (String Command), which is designed to carry “complete shell commands, not restricted arguments”.
Because the backend blindly executes whatever value is passed into this parameter, an attacker can simply send a crafted web request to the /goformX/formFSrvX endpoint to run arbitrary code on the device.
“The backend directly executes the provided value,” the report explains. “No authentication check is enforced before command execution”.
The implications are severe. Since the web server process runs with root privileges, any command injected by an attacker executes with the highest possible permission level.
“An unauthenticated attacker can fully take control of the device, enable backdoors (telnet/ssh), intercept traffic, or use the device as a pivot point inside the local network”.
The exploit is terrifyingly simple. Attackers do not need valid credentials, a session cookie, or an authentication token. “The attack can be performed via a single HTTP request”.
Researcher Jingwei Feng demonstrated the flaw by creating a test environment using FirmAE simulation. Jingwei showed that by sending a specific URL containing a shell command (like ls > /tmp/pwned), they could successfully execute code on the device.
The vulnerability was identified through “firmware reverse engineering and frontend-backend interaction analysis,” which exposed that the device’s own frontend code was constructing URLs with embedded shell commands like kill and sleep.
The report outlines four key remediation steps for the vendor to secure the device:
- Remove Shell Execution: The backend must never accept full shell commands from HTTP input.
- Enforce Authentication: All management interfaces must require a valid login.
- Whitelist Commands: Replace direct shell execution with fixed internal handlers.
- Least Privilege: Ensure web server processes do not run as root.
Until a firmware update is released, users are advised to restrict access to the device’s management interface and ensure it is not exposed to the public internet.
Donate