CVE-2025-25662
Published: 20 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-25662, published on 2025-02-20, is a buffer overflow vulnerability (CWE-120) affecting the Tenda O4 V3.0 device running firmware version V1.0.0.10(2936). The flaw resides in the SafeSetMacFilter function of the /goform/setMacFilterList CGI endpoint and can be triggered by specially crafted values in the remark, type, or time arguments. It carries a CVSS v3.1 base score of 9.8 (Critical), reflecting its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impacts across confidentiality, integrity, and availability.
A remote, unauthenticated attacker can exploit this vulnerability over the network by sending a malicious HTTP request to the vulnerable endpoint. Exploitation requires no privileges or user interaction, enabling low-complexity attacks that could lead to arbitrary code execution, full system compromise, or denial of service on the affected device.
Further technical details, including proof-of-concept information, are available in the referenced advisory at https://github.com/jangfan/my-vuln/blob/main/Tenda/O4V3/setMacFilterList.md. No vendor patches or specific mitigations are detailed in the available information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Buffer overflow in unauthenticated public-facing CGI web endpoint (/goform/setMacFilterList) on network device enables remote arbitrary code execution via crafted HTTP request, directly mapping to exploitation of public-facing applications for initial access and system compromise.