CVE-2025-29135
Published: 24 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-29135 is a stack-based buffer overflow vulnerability (CWE-121) in the Tenda AC7 router running firmware version V15.03.06.44. The flaw occurs in the formWifiBasicSet function, where the security parameter can be abused to trigger a stack overflow, potentially allowing arbitrary code execution. Published on March 24, 2025, it carries a CVSS v3.1 base score of 9.8, reflecting its critical severity.
The vulnerability can be exploited by a remote attacker over the network with no required privileges, low complexity, and no user interaction (AV:N/AC:L/PR:N/UI:N). Successful exploitation grants high-impact confidentiality, integrity, and availability consequences (C:H/I:H/A:H) within the unchanged scope (S:U), enabling the attacker to execute arbitrary code on the affected device.
Proof-of-concept details are documented in public GitHub repositories by Raining-101, including a Gist at https://gist.github.com/Raining-101/1651dd3901efdbb38d94a156a54bbc62 and Markdown files at https://github.com/Raining-101/IOT_cve/blob/main/a7_formWifiBasic_Setsecurity_stackoverflow.md. No vendor advisories or patches are referenced in the available information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stack-based buffer overflow in router web form handling function (formWifiBasicSet) enables remote unauthenticated arbitrary code execution on a public-facing network device.