CVE-2023-25235
Published: 27 February 2023
Summary
CVE-2023-25235 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Tenda Ac500 Firmware. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 13.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Tenda AC500 routers running firmware version V2.0.1.9(1307) contain a buffer overflow vulnerability in the formOneSsidCfgSet function, triggered through the ssid parameter. The flaw is classified under CWE-787 as an out-of-bounds write and carries a CVSS 3.1 score of 7.5, reflecting network-accessible attack vector, low complexity, and high impact on availability with no requirements for authentication or user interaction.
Remote attackers without credentials can exploit the issue by submitting a maliciously crafted ssid value in a configuration request, leading to memory corruption that can crash the affected device and produce a denial-of-service condition. The same network vector allows the attack to be launched against any exposed administrative interface.
The two referenced GitHub repositories document the vulnerability details but contain no information on official patches or vendor mitigation steps. Exploitation probability, as measured by EPSS, rose from a low baseline to a peak of 0.1829 before receding to the current value of 0.0305, indicating a period of increased interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-29198
Vulnerability details
Tenda AC500 V2.0.1.9(1307) is vulnerable to Buffer Overflow in function formOneSsidCfgSet via parameter ssid.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.