CVE-2025-28221
Published: 28 March 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-28221 is a buffer overflow vulnerability affecting the Tenda W6_S router running firmware version 1.0.0.4_510. The issue resides in the set_local_time function, which fails to properly validate the 'time' parameter passed via a POST request to the binary, leading to a buffer overflow condition.
Remote attackers can exploit this vulnerability over the network with low complexity, requiring no authentication privileges, user interaction, or special conditions, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Successful exploitation results in a denial-of-service condition by crashing the web server, disrupting device availability without impacting confidentiality or integrity.
For mitigation details, refer to the advisory at https://github.com/IdaJea/IOT_vuln_1/blob/master/w6_s_v1.0.0.4/time.pdf. The vulnerability was published on 2025-03-28.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Buffer overflow in the router web server's set_local_time function allows remote unauthenticated exploitation to crash the service, directly mapping to application/system exploitation for endpoint denial of service.