CVE-2025-1896

CVE-2025-1896 is a critical buffer overflow vulnerability affecting the Tenda TX3 router on firmware version 16.03.13.11_multi. The flaw exists in unknown code within the /goform/SetStaticRouteCfg file, where manipulation of the argument list triggers the overflow. Published on 2025-03-04, it is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input).

The vulnerability enables remote exploitation over the network with low complexity and no user interaction. Attackers require low privileges (PR:L), such as those of an authenticated user, to initiate the attack. Exploitation leads to high availability impact (A:H) with no confidentiality or integrity effects, as reflected in its CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H), potentially resulting in denial of service.

Advisories and details are documented on VulDB (https://vuldb.com/?ctiid.298414, https://vuldb.com/?id.298414, https://vuldb.com/?submit.506602), with a public exploit disclosure available in a GitHub PDF (https://github.com/2664521593/mycve/blob/main/Tenda/TX3/tenda_tx3_bof_2.pdf). The Tenda vendor site (https://www.tenda.com.cn/) is referenced for potential further guidance. The exploit has been disclosed publicly and may be used.