CVE-2025-25667
Published: 20 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-25667 is a stack overflow vulnerability (CWE-120) in Tenda AC8V4 routers running firmware version V16.03.34.06. The flaw occurs in the get_parentControl_list_Info function when processing the urls parameter, allowing buffer overflow conditions that can corrupt the stack.
The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical), with attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction needed (UI:N), and unchanged scope (S:U), resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H). Unauthenticated remote attackers can exploit this over the network to potentially achieve arbitrary code execution, data disclosure, modification of router settings, or denial-of-service by crashing the device.
Additional technical details, including a proof-of-concept, are documented in a GitHub repository at https://github.com/jangfan/my-vuln/blob/main/Tenda/AC8V4/saveParentControlInfo.md. No vendor advisories or patches are referenced in available information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stack overflow in the web interface function get_parentControl_list_Info via urls parameter enables remote exploitation of a public-facing application on the Tenda router for potential code execution.