CVE-2025-25674
Published: 20 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-25674 is a buffer overflow vulnerability (CWE-120) in the Tenda AC10 V1.0 router running firmware version V15.03.06.23. The flaw occurs in the form_fast_setting_wifi_set function when processing the 'ssid' parameter, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Published on 2025-02-20, it exposes the device to potential remote exploitation due to inadequate bounds checking on user-supplied input.
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, likely enabling arbitrary code execution, device takeover, or denial of service.
The primary reference at https://github.com/jangfan/my-vuln/blob/main/Tenda/AC10V1/fast_setting_wifi_set.md details the vulnerability, including the affected endpoint and parameter. No official vendor patches or mitigation advisories are specified in available data.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The remote unauthenticated buffer overflow in the router's public web form (form_fast_setting_wifi_set) directly enables exploitation of a public-facing application for RCE or DoS.