CVE-2025-29360
Published: 13 March 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-29360 is a buffer overflow vulnerability in the Tenda RX3 router firmware version US_RX3V1.0br_V16.03.13.11_multi_TDE01. The issue resides in the /goform/SetSysTimeCfg endpoint, where the time and timeZone parameters are processed unsafely, allowing overflow conditions (CWE-120). It has a CVSS v3.1 base score of 7.5, reflecting high severity due to its potential for disruption.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By sending a specially crafted packet to the affected endpoint, attackers can trigger the buffer overflow, resulting in a denial-of-service condition such as device crash or reboot, with no impact on confidentiality or integrity.
Advisories and technical details are documented in references including https://github.com/2664521593/mycve/blob/main/Tenda/RX3/tenda_rx3_bof_1.pdf. Practitioners should consult these for exploit proofs, patch information, or firmware upgrade guidance from Tenda.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Buffer overflow in public-facing /goform/SetSysTimeCfg web endpoint enables T1190 exploitation; results in device crash/reboot enabling T1499.004 Application or System Exploitation for DoS.