CVE-2025-0349
Published: 09 January 2025
Summary
CVE-2025-0349 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac6 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates and sanitizes the src/mac input argument to prevent the stack-based buffer overflow in the GetParentControlInfo function.
Implements memory protections such as stack canaries, ASLR, and DEP to mitigate exploitation of the stack buffer overflow even if input validation fails.
Requires timely identification, reporting, and patching of the specific buffer overflow flaw in Tenda AC6 firmware version 15.03.05.16.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in the Tenda AC6 router's public-facing web interface (/goform/GetParentControlInfo) via unauthenticated remote HTTP request with oversized 'mac' parameter enables exploitation of a public-facing application.
NVD Description
A vulnerability classified as critical has been found in Tenda AC6 15.03.05.16. Affected is the function GetParentControlInfo of the file /goform/GetParentControlInfo. The manipulation of the argument src/mac leads to stack-based buffer overflow. It is possible to launch the attack remotely.…
more
The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
Deeper analysisAI
CVE-2025-0349 is a critical stack-based buffer overflow vulnerability in Tenda AC6 router firmware version 15.03.05.16. The flaw affects the GetParentControlInfo function in the /goform/GetParentControlInfo file, triggered by manipulation of the src/mac argument. It maps to CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-121 (Stack-based Buffer Overflow), and CWE-787 (Out-of-bounds Write), and was published on 2025-01-09.
The vulnerability enables remote exploitation over the network with low attack complexity, requiring only low privileges (PR:L), no user interaction, and no change in scope (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, score 8.8). A low-privileged attacker could achieve high impacts on confidentiality, integrity, and availability, potentially resulting in arbitrary code execution or full device compromise.
Advisories and details are available via VulDB entries (https://vuldb.com/?ctiid.290862, https://vuldb.com/?id.290862, https://vuldb.com/?submit.477048) and the Tenda vendor site (https://www.tenda.com.cn/). A proof-of-concept exploit has been publicly disclosed in a GitHub issue (https://github.com/wy876/cve/issues/5) and may be used; other parameters might also be affected.
Details
- CWE(s)