We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-5864

Tenda TDSEE App Password Reset Confirmation Code ConfirmSmsCode excessive authentication



Description

EN DE

A vulnerability was found in Tenda TDSEE App up to 1.7.12. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /app/ConfirmSmsCode of the component Password Reset Confirmation Code Handler. The manipulation leads to improper restriction of excessive authentication attempts. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.7.15 is able to address this issue. It is recommended to upgrade the affected component.

In Tenda TDSEE App bis 1.7.12 wurde eine problematische Schwachstelle ausgemacht. Dabei geht es um eine nicht genauer bekannte Funktion der Datei /app/ConfirmSmsCode der Komponente Password Reset Confirmation Code Handler. Durch Manipulation mit unbekannten Daten kann eine improper restriction of excessive authentication attempts-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Die Komplexität eines Angriffs ist eher hoch. Sie gilt als schwierig ausnutzbar. Der Exploit steht zur öffentlichen Verfügung. Ein Aktualisieren auf die Version 1.7.15 vermag dieses Problem zu lösen. Als bestmögliche Massnahme wird das Einspielen eines Upgrades empfohlen.

Reserved 2025-06-08 | Published 2025-06-09 | Updated 2025-06-09 | Assigner VulDB


MEDIUM: 6.3CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
LOW: 3.7CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C
LOW: 3.7CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C
2.6AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C

Problem types

Improper Restriction of Excessive Authentication Attempts

Improper Control of Interaction Frequency

Product status

1.7.0
affected

1.7.1
affected

1.7.2
affected

1.7.3
affected

1.7.4
affected

1.7.5
affected

1.7.6
affected

1.7.7
affected

1.7.8
affected

1.7.9
affected

1.7.10
affected

1.7.11
affected

1.7.12
affected

Timeline

2025-06-08:Advisory disclosed
2025-06-08:VulDB entry created
2025-06-08:VulDB entry last update

Credits

k3vg3n (VulDB User) reporter

k3vg3n (VulDB User) analyst

References

vuldb.com/?id.311623 (VDB-311623 | Tenda TDSEE App Password Reset Confirmation Code ConfirmSmsCode excessive authentication) vdb-entry

vuldb.com/?ctiid.311623 (VDB-311623 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/?submit.592074 (Submit #592074 | Tenda TDSEE mobile application 1.7.12 Authorization Bypass) third-party-advisory

blog.kevgen.ru/posts/account_takeover_in_tdsee_app/ related

github.com/...hes/blob/main/Account_takeover_in_TDSEE_app.md exploit

www.tenda.com.cn/ product

cve.org (CVE-2025-5864)

nvd.nist.gov (CVE-2025-5864)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-5864

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.