CVE-2025-0349

CVE-2025-0349 is a critical stack-based buffer overflow vulnerability in Tenda AC6 router firmware version 15.03.05.16. The flaw affects the GetParentControlInfo function in the /goform/GetParentControlInfo file, triggered by manipulation of the src/mac argument. It maps to CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-121 (Stack-based Buffer Overflow), and CWE-787 (Out-of-bounds Write), and was published on 2025-01-09.

The vulnerability enables remote exploitation over the network with low attack complexity, requiring only low privileges (PR:L), no user interaction, and no change in scope (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, score 8.8). A low-privileged attacker could achieve high impacts on confidentiality, integrity, and availability, potentially resulting in arbitrary code execution or full device compromise.

Advisories and details are available via VulDB entries (https://vuldb.com/?ctiid.290862, https://vuldb.com/?id.290862, https://vuldb.com/?submit.477048) and the Tenda vendor site (https://www.tenda.com.cn/). A proof-of-concept exploit has been publicly disclosed in a GitHub issue (https://github.com/wy876/cve/issues/5) and may be used; other parameters might also be affected.