CVE-2025-1899
Published: 04 March 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-1899 is a critical buffer overflow vulnerability in Tenda TX3 firmware version 16.03.13.11_multi. The flaw affects an unknown functionality within the /goform/setPptpUserList file, where manipulation of the argument list triggers the overflow. It is associated with CWE-119 and CWE-120.
The vulnerability enables remote exploitation by low-privileged users over the network. Per its CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H), attacks require network access, low complexity, and low privileges with no user interaction, leading to high availability impact such as denial of service.
Advisories are documented on VulDB at ctiid.298417, id.298417, and submit.506607, with a proof-of-concept exploit publicly disclosed in a GitHub PDF at https://github.com/2664521593/mycve/blob/main/Tenda/TX3/tenda_tx3_bof_5.pdf. The vendor site is at https://www.tenda.com.cn/.
The exploit has been disclosed to the public and may be used against vulnerable devices.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Buffer overflow in public-facing web form (/goform/setPptpUserList) enables remote low-privileged exploitation causing denial of service via application crash, directly mapping to T1499.004.