CVE-2025-29121
Published: 20 March 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-29121 is a stack-based buffer overflow vulnerability, classified under CWE-121, affecting Tenda AC6 routers on firmware version V15.03.05.16. The flaw exists in the /goform/fast_setting_wifi_set functionality, specifically triggered by the timeZone parameter in the form_fast_setting_wifi_set file.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable over the network with low attack complexity, requiring no privileges or user interaction. Unauthenticated attackers can send crafted requests to cause a stack-based buffer overflow, resulting in high availability impact through denial-of-service, such as crashing the affected router component.
References for CVE-2025-29121 point to GitHub repositories under Raining-101/IOT_cve, including details on the ac6_form_fast_setting_wifi_set timeZone parameter. No vendor advisories or patch information is detailed in the available data.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a remote unauthenticated stack buffer overflow in a public-facing web interface (/goform/fast_setting_wifi_set) on a router, directly enabling T1190 (Exploit Public-Facing Application). Exploitation results in denial-of-service via application crash, mapping to T1499.004 (Application or System Exploitation).