CVE-2025-29214
Published: 20 March 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-29214, published on 2025-03-20, is a stack-based buffer overflow vulnerability (CWE-121) affecting the Tenda AX12 router in version v22.03.01.46_CN. The flaw occurs in the sub_42F69C function, which is triggered via the /goform/setMacFilterCfg endpoint.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable over the network with low attack complexity, no required privileges, and no user interaction. Remote attackers can achieve denial of service by crashing the affected device, disrupting availability without impacting confidentiality or integrity.
References to the vulnerability include a GitHub Gist and a technical PDF document detailing the stack overflow, which appear to provide proof-of-concept information but do not specify mitigations or patches.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes remote exploitation of a stack buffer overflow in a router's public web interface endpoint (/goform/setMacFilterCfg), directly enabling T1190 (Exploit Public-Facing Application) for initial access attempts and T1499.004 (Application or System Exploitation) to crash the device and achieve denial of service.