Cyber Resilience

CVE-2025-25662

Critical

Published: 20 February 2025

Published
20 February 2025
Modified
07 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0009 25.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25662 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Tenda O4 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-25662, published on 2025-02-20, is a buffer overflow vulnerability (CWE-120) affecting the Tenda O4 V3.0 device running firmware version V1.0.0.10(2936). The flaw resides in the SafeSetMacFilter function of the /goform/setMacFilterList CGI endpoint and can be triggered by specially crafted values in the remark, type, or time arguments. It carries a CVSS v3.1 base score of 9.8 (Critical), reflecting its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impacts across confidentiality, integrity, and availability.

A remote, unauthenticated attacker can exploit this vulnerability over the network by sending a malicious HTTP request to the vulnerable endpoint. Exploitation requires no privileges or user interaction, enabling low-complexity attacks that could lead to arbitrary code execution, full system compromise, or denial of service on the affected device.

Further technical details, including proof-of-concept information, are available in the referenced advisory at https://github.com/jangfan/my-vuln/blob/main/Tenda/O4V3/setMacFilterList.md. No vendor patches or specific mitigations are detailed in the available information.

EU & UK References

Vulnerability details

Tenda O4 V3.0 V1.0.0.10(2936) is vulnerable to Buffer Overflow in the function SafeSetMacFilter of the file /goform/setMacFilterList via the argument remark/type/time.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Buffer overflow in unauthenticated public-facing CGI web endpoint (/goform/setMacFilterList) on network device enables remote arbitrary code execution via crafted HTTP request, directly mapping to exploitation of public-facing applications for initial access and system compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-25674Same vendor: Tenda
CVE-2025-29137Same vendor: Tenda
CVE-2026-24113Same vendor: Tenda
CVE-2026-24108Same vendor: Tenda
CVE-2026-24110Same vendor: Tenda
CVE-2025-25678Same vendor: Tenda
CVE-2026-24103Same vendor: Tenda
CVE-2025-25667Same vendor: Tenda
CVE-2026-24111Same vendor: Tenda
CVE-2026-24112Same vendor: Tenda

Affected Assets

tenda
o4 firmware
1.0.0.10\(2936\)

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents buffer overflow by enforcing input validation on the remark, type, and time arguments to the SafeSetMacFilter function in the /goform/setMacFilterList CGI endpoint.

prevent

Mitigates exploitation of the buffer overflow vulnerability through memory protection mechanisms such as stack canaries, ASLR, and DEP to prevent arbitrary code execution.

prevent

Addresses the specific buffer overflow flaw by requiring timely flaw remediation through firmware patching or code fixes for the affected Tenda O4 V3.0 device.

References