CVE-2025-68706

Critical

Published: 29 December 2025

Published

29 December 2025

Modified

15 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0019 41.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A stack-based buffer overflow exists in the GoAhead-Webs HTTP daemon on KuWFi 4G LTE AC900 devices with firmware 1.0.13. The /goform/formMultiApnSetting handler uses sprintf() to copy the user-supplied pincode parameter into a fixed 132-byte stack buffer with no bounds checks.…

This allows an attacker to corrupt adjacent stack memory, crash the web server, and (under certain conditions) may enable arbitrary code execution.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation and bounds checking of user-supplied pincode input to prevent stack buffer overflow in the /goform/formMultiApnSetting handler.

SI-16 Memory Protection good match

prevent

Provides memory protection mechanisms such as stack canaries and non-executable stacks to block exploitation of the stack-based buffer overflow.

SI-2 Flaw Remediation good match

prevent

Ensures timely flaw remediation by patching the unsafe sprintf usage without bounds checks in the GoAhead-Webs HTTP daemon.

Security SummaryAI

CVE-2025-68706 is a stack-based buffer overflow vulnerability in the GoAhead-Webs HTTP daemon on KuWFi 4G LTE AC900 devices with firmware version 1.0.13. The issue resides in the /goform/formMultiApnSetting handler, which employs sprintf() to copy the user-supplied pincode parameter into a fixed 132-byte stack buffer without bounds checking, as classified under CWE-121 (Stack-based Buffer Overflow). Published on 2025-12-29, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

An unauthenticated attacker with network access can exploit this vulnerability by submitting a specially crafted HTTP request containing an overly long pincode parameter. This triggers buffer overflow, corrupting adjacent stack memory and enabling denial-of-service via web server crashes. Under certain conditions, the overflow may facilitate arbitrary code execution.

Advisories and additional details are available via the provided references, including a technical report at https://drive.proton.me/urls/HJCJYAC7JM#XtHcm3P7QaYk, exploit details in https://github.com/actuator/cve/blob/main/Kuwfi/CVE-2025-68706.txt, related repository at https://github.com/actuator/cve/tree/main/Kuwfi, and product information at https://kuwfi.com/products/kuwfi-gigabit-wireless-router-4g-lte-wifi-router-dual-band-portable-wifi-modem-hotspot-64-user-with-gigabit-wan-lan-rj11-port. No specific patches or mitigations are detailed in the primary description.

Details

CWE(s): CWE-121

Affected Products

kuwfi

ac900 firmware

1.0.13

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unauthenticated stack-based buffer overflow in public-facing HTTP daemon (/goform/formMultiApnSetting) exploitable via crafted HTTP request for DoS or potential RCE, directly enabling T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://drive.proton.me/urls/HJCJYAC7JM#XtHcm3P7QaYk
Broken Link · cve@mitre.org
https://github.com/actuator/cve/blob/main/Kuwfi/CVE-2025-68706.txt
Third Party Advisory · cve@mitre.org
https://github.com/actuator/cve/tree/main/Kuwfi
Third Party Advisory · cve@mitre.org
https://kuwfi.com/products/kuwfi-gigabit-wireless-router-4g-lte-wifi-router-dual-band-portable-wifi-modem-hotspot-64-user-with-gigabit-wan-lan-rj11-port
Product · cve@mitre.org