Cyber Posture

CVE-2025-1897

MediumPublic PoC

Published: 04 March 2025

Published
04 March 2025
Modified
05 March 2025
KEV Added
Patch
CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0008 22.4th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

Security Summary

CVE-2025-1897 is a critical buffer overflow vulnerability affecting Tenda TX3 firmware version 16.03.13.11_multi. The flaw occurs in the processing of the /goform/SetNetControlList file, where manipulation of the argument list triggers the overflow. It is associated with CWE-119 and CWE-120, and carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

The vulnerability enables remote exploitation by attackers possessing low privileges. Successful manipulation can lead to a denial of service due to the high availability impact, with low attack complexity and no requirement for user interaction.

Advisories are available via VulDB entries (ctiid.298415, id.298415, submit.506604) and a GitHub repository containing a PDF exploit for Tenda TX3 (https://github.com/2664521593/mycve/blob/main/Tenda/TX3/tenda_tx3_bof_3.pdf). The Tenda vendor website (https://www.tenda.com.cn/) is also referenced. The exploit has been publicly disclosed and may be used.

Details

CWE(s)
CWE-119CWE-120

Affected Products

tenda
tx3 firmware
16.03.13.11

MITRE ATT&CK Enterprise Techniques

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

The buffer overflow vulnerability in /goform/SetNetControlList enables remote attackers to perform an endpoint denial of service by exploiting the application with a crafted 'list' parameter, causing a crash.

References