CVE-2025-14878
Published: 18 December 2025
Summary
CVE-2025-14878 is a critical-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Wh450 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 36.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the stack-based buffer overflow by applying firmware patches or updates from the vendor to eliminate the flaw in the HTTP Request Handler.
Enforces validation of the 'GO' argument in the /goform/wirelessRestart endpoint to prevent improper restriction of operations within memory bounds leading to buffer overflow.
Implements memory protection mechanisms such as stack canaries, ASLR, and DEP to detect and prevent exploitation of the stack-based buffer overflow.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in the public-facing HTTP request handler (/goform/wirelessRestart) of Tenda WH450 router enables remote, unauthenticated arbitrary code execution or DoS via exploitation of a public-facing application.
NVD Description
A security flaw has been discovered in Tenda WH450 1.0.0.18. This impacts an unknown function of the file /goform/wirelessRestart of the component HTTP Request Handler. The manipulation of the argument GO results in stack-based buffer overflow. The attack may be…
more
performed from remote. The exploit has been released to the public and may be used for attacks.
Deeper analysisAI
CVE-2025-14878 is a stack-based buffer overflow vulnerability affecting the Tenda WH450 router on firmware version 1.0.0.18. The issue impacts an unknown function in the /goform/wirelessRestart file within the HTTP Request Handler component, where manipulation of the "GO" argument triggers the overflow. Published on 2025-12-18, it is associated with CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow) and carries a CVSS v3.1 base score of 9.8.
The vulnerability enables remote exploitation with no authentication, privileges, or user interaction required (AV:N/AC:L/PR:N/UI:N). Attackers can achieve high impacts across confidentiality, integrity, and availability (C:H/I:H/A:H), potentially leading to arbitrary code execution on the affected device.
A proof-of-concept exploit has been publicly released on GitHub (https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/wirelessRestart/wirelessRestart.md), with further details available via VulDB (https://vuldb.com/?ctiid.337369, https://vuldb.com/?id.337369, https://vuldb.com/?submit.715357). The vendor site is at https://www.tenda.com.cn/, though no specific patch or mitigation guidance is detailed in the references.
Details
- CWE(s)