CVE-2025-25662
Published: 20 February 2025
Summary
CVE-2025-25662 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Tenda O4 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2025-25662, published on 2025-02-20, is a buffer overflow vulnerability (CWE-120) affecting the Tenda O4 V3.0 device running firmware version V1.0.0.10(2936). The flaw resides in the SafeSetMacFilter function of the /goform/setMacFilterList CGI endpoint and can be triggered by specially crafted values in the remark, type, or time arguments. It carries a CVSS v3.1 base score of 9.8 (Critical), reflecting its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impacts across confidentiality, integrity, and availability.
A remote, unauthenticated attacker can exploit this vulnerability over the network by sending a malicious HTTP request to the vulnerable endpoint. Exploitation requires no privileges or user interaction, enabling low-complexity attacks that could lead to arbitrary code execution, full system compromise, or denial of service on the affected device.
Further technical details, including proof-of-concept information, are available in the referenced advisory at https://github.com/jangfan/my-vuln/blob/main/Tenda/O4V3/setMacFilterList.md. No vendor patches or specific mitigations are detailed in the available information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4503
Vulnerability details
Tenda O4 V3.0 V1.0.0.10(2936) is vulnerable to Buffer Overflow in the function SafeSetMacFilter of the file /goform/setMacFilterList via the argument remark/type/time.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in unauthenticated public-facing CGI web endpoint (/goform/setMacFilterList) on network device enables remote arbitrary code execution via crafted HTTP request, directly mapping to exploitation of public-facing applications for initial access and system compromise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents buffer overflow by enforcing input validation on the remark, type, and time arguments to the SafeSetMacFilter function in the /goform/setMacFilterList CGI endpoint.
Mitigates exploitation of the buffer overflow vulnerability through memory protection mechanisms such as stack canaries, ASLR, and DEP to prevent arbitrary code execution.
Addresses the specific buffer overflow flaw by requiring timely flaw remediation through firmware patching or code fixes for the affected Tenda O4 V3.0 device.