CVE-2025-25663
Published: 20 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-25663 is a stack-based buffer overflow vulnerability affecting Tenda AC8V4 router firmware version V16.03.34.06. The flaw exists in the SUB_0046AC38 function of the /goform/WifiExtraSet file, where manipulation of the wpapsk_crypto argument triggers the overflow. It maps to CWE-787 (Out-of-bounds Write) and CWE-120 (Buffer Copy without Checking Size of Input), and was published on 2025-02-20.
With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability enables exploitation over the network with low complexity, requiring no authentication or user interaction. Unauthenticated remote attackers can achieve high-impact effects on confidentiality, integrity, and availability, likely leading to arbitrary code execution on the device.
Technical details on the vulnerability, including exploitation specifics, are documented in the advisory at https://github.com/jangfan/my-vuln/blob/main/Tenda/AC8V4/WifiExtraSet.md. No patch or mitigation guidance is specified in the available description.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stack-based buffer overflow in the public-facing web interface (/goform/WifiExtraSet) enables remote code execution via exploitation of a public-facing application.