Vulnerability Details CVE-2025-63666
Tenda AC15 v15.03.05.18_multi) issues an authentication cookie that exposes the account password hash to the client and uses a short, low-entropy suffix as the session identifier. An attacker with network access or the ability to run JS in a victim browser can steal the cookie and replay it to access protected resources.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 15.5%
CVSS Severity
CVSS v3 Score 9.8
References
Products affected by CVE-2025-63666
-
cpe:2.3:h:tenda:ac15:-
-
cpe:2.3:o:tenda:ac15_firmware:15.03.05.18