CVE-2025-1853
Published: 03 March 2025
Summary
CVE-2025-1853 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac8 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates all inputs to the Parameter Handler's sub_49E098 function, preventing stack buffer overflows from manipulated argument lists.
Implements stack canaries, ASLR, and DEP to mitigate exploitation of the stack-based buffer overflow even if input validation fails.
Requires timely remediation of the identified buffer overflow flaw in Tenda AC8 firmware version 16.03.34.06 via patching or upgrades.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in public-facing web form handler (/goform/SetIpMacBind) on network device enables remote exploitation for RCE/impact.
NVD Description
A vulnerability was found in Tenda AC8 16.03.34.06 and classified as critical. This issue affects the function sub_49E098 of the file /goform/SetIpMacBind of the component Parameter Handler. The manipulation of the argument list leads to stack-based buffer overflow. The attack…
more
may be initiated remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-1853, published on 2025-03-03, is a critical stack-based buffer overflow vulnerability (CVSS 8.8; CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) affecting Tenda AC8 router firmware version 16.03.34.06. The flaw resides in the sub_49E098 function within the /goform/SetIpMacBind file of the Parameter Handler component, triggered by manipulation of the argument list. It is associated with CWEs-119, CWE-121, and CWE-787.
An attacker with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Successful exploitation enables high-impact consequences, including unauthorized access to sensitive data (C:H), modification of system resources (I:H), and disruption of services (A:H), such as potential remote code execution or device crashes via the buffer overflow.
Advisories and details are documented in references including a GitHub proof-of-concept at https://github.com/Raining-101/IOT_cve/blob/main/tenda-ac8_sub_49E098.md, VULDB entries at https://vuldb.com/?ctiid.298121, https://vuldb.com/?id.298121, and https://vuldb.com/?submit.505374, and the vendor site at https://www.tenda.com.cn/. The exploit has been publicly disclosed and may be used, but no specific patches or mitigations are detailed in the available information.
Exploitation is feasible given the public disclosure of the exploit, posing elevated risk to exposed Tenda AC8 devices running the affected firmware version.
Details
- CWE(s)