CVE-2025-29363
Published: 13 March 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-29363 is a buffer overflow vulnerability (CWE-120) affecting the Tenda RX3 router running firmware version US_RX3V1.0br_V16.03.13.11_multi_TDE01. The issue resides in the /goform/saveParentControlInfo endpoint, where the schedStartTime and schedEndTime parameters can be exploited due to insufficient bounds checking, leading to a stack-based buffer overflow. Published on 2025-03-13 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), it enables remote denial-of-service (DoS) conditions without impacting confidentiality or integrity.
Any unauthenticated attacker with network access to the vulnerable router can exploit this flaw by sending a specially crafted packet to the affected endpoint. The low attack complexity and lack of required privileges or user interaction make it straightforward to trigger, resulting in the device crashing or becoming unresponsive, thereby disrupting network services hosted by the router.
Advisories and detailed technical analysis, including proof-of-concept details, are available in the referenced GitHub documents at https://github.com/2664521593/mycve/blob/main/Tenda/RX3/tenda_rx3_bof_7.pdf. No vendor patches or specific mitigation steps beyond upgrading firmware are detailed in the provided information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Buffer overflow in unauthenticated public-facing web endpoint (/goform/saveParentControlInfo) directly enables remote exploitation of the application for DoS via system crash.