CVE-2025-1895
Published: 04 March 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-1895 is a buffer overflow vulnerability (CWE-119, CWE-120) in Tenda TX3 firmware version 16.03.13.11_multi. The flaw affects an unknown part of the /goform/setMacFilterCfg file, where manipulation of the deviceList argument triggers the overflow. Published on 2025-03-04, it carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
An attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation results in high availability impact, such as device crashes or denial of service, without compromising confidentiality or integrity.
VulDB advisories (ctiid.298413, id.298413, submit.506601) document the issue, and a proof-of-concept exploit is publicly disclosed in a GitHub repository (tenda_tx3_bof_1.pdf). The Tenda vendor website provides relevant resources for further details on patches or mitigations.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Buffer overflow in public web form (/goform/setMacFilterCfg) enables remote exploitation of internet-facing router firmware for DoS via crash (T1190 for public-facing app exploitation; T1499.004 for application/system exploitation causing availability impact).