CVE-2025-69763
Published: 21 January 2026
Description
Tenda AX3 firmware v16.03.12.11 contains a stack overflow in formSetIptv via the vlanId parameter, which can cause memory corruption and enable remote code execution.
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces validation of the vlanId parameter input to prevent stack overflow and memory corruption from crafted requests.
Implements memory protections such as stack canaries or DEP to block unauthorized code execution from stack-based buffer overflows.
Mandates timely flaw remediation through firmware patching to eliminate the specific stack overflow vulnerability in formSetIptv.
Security SummaryAI
CVE-2025-69763, published on 2026-01-21, is a stack-based buffer overflow vulnerability (CWE-121) affecting Tenda AX3 router firmware version 16.03.12.11. The flaw occurs in the formSetIptv function when processing the vlanId parameter, resulting in memory corruption that enables remote code execution. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its high impact on confidentiality, integrity, and availability.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and without requiring user interaction. By sending a specially crafted request targeting the vlanId parameter, attackers can trigger the stack overflow, overwrite memory, and achieve arbitrary code execution on the affected device, granting full control over the router.
Advisories and technical details are available at https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formSetIptv-2c9a595a7aef8025a3c6c4b102d95dd4.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote code execution via stack-based buffer overflow in the router's web management interface (formSetIptv function) directly enables exploitation of a public-facing application.