CVE-2025-29100
Published: 24 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-29100 is a stack-based buffer overflow vulnerability (CWE-121) affecting the Tenda AC8 router on firmware version V16.03.34.06. The flaw resides in the fromSetRouteStatic function and is triggered via the "list" parameter. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its network reachability, low complexity, lack of required privileges or user interaction, and potential for high-impact disruption across confidentiality, integrity, and availability.
A remote, unauthenticated attacker can exploit this vulnerability over the network by sending a maliciously crafted request to the vulnerable function, causing a buffer overflow. Exploitation could result in arbitrary code execution on the device, enabling full compromise, such as persistent access, data theft, or service disruption.
References point to GitHub repositories by researcher Raining-101, including a gist and Markdown files detailing the Tenda AC8 V16.03.34.06 stack overflow in fromSetRouteStatic, with proof-of-concept code demonstrating the issue. No vendor advisories or patches are mentioned in the provided references.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The remote unauthenticated stack-based buffer overflow in the public-facing fromSetRouteStatic web function directly enables T1190 (Exploit Public-Facing Application) for initial access and arbitrary code execution on the router.