CVE-2025-1898
Published: 04 March 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-1898 is a critical buffer overflow vulnerability (CWE-119, CWE-120) affecting Tenda TX3 router firmware version 16.03.13.11_multi. The flaw exists in an unknown function of the /goform/openSchedWifi file, where manipulation of the schedStartTime and schedEndTime arguments triggers the overflow. Published on 2025-03-04, it carries a CVSSv3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
The vulnerability enables remote exploitation over the network with low complexity and no user interaction required. Attackers need low privileges, such as those of an authenticated user, to submit crafted requests targeting the vulnerable arguments. Successful exploitation leads to high availability impact (A:H), typically resulting in denial-of-service conditions like device crashes or reboots, with no direct confidentiality or integrity effects.
Advisories on VulDB detail the issue (ctiid.298416, id.298416, submit.506606), and a proof-of-concept exploit is publicly disclosed in a PDF at github.com/2664521593/mycve/blob/main/Tenda/TX3/tenda_tx3_bof_4.pdf. The Tenda vendor site (tenda.com.cn) should be consulted for any patches or mitigation guidance.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Buffer overflow in Tenda TX3 router web interface (/goform/openSchedWifi) via crafted schedStartTime/schedEndTime parameters enables remote denial of service by crashing the application, directly facilitating T1499.004 (Application or System Exploitation).