Cyber Resilience

CVE-2025-25667

CriticalPublic PoC

Published: 20 February 2025

Published
20 February 2025
Modified
17 March 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0009 25.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25667 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Tenda Ac8 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-25667 is a stack overflow vulnerability (CWE-120) in Tenda AC8V4 routers running firmware version V16.03.34.06. The flaw occurs in the get_parentControl_list_Info function when processing the urls parameter, allowing buffer overflow conditions that can corrupt the stack.

The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical), with attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction needed (UI:N), and unchanged scope (S:U), resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H). Unauthenticated remote attackers can exploit this over the network to potentially achieve arbitrary code execution, data disclosure, modification of router settings, or denial-of-service by crashing the device.

Additional technical details, including a proof-of-concept, are documented in a GitHub repository at https://github.com/jangfan/my-vuln/blob/main/Tenda/AC8V4/saveParentControlInfo.md. No vendor advisories or patches are referenced in available information.

EU & UK References

Vulnerability details

Tenda AC8V4 V16.03.34.06 was discovered to contain a stack overflow via the urls parameter in the function get_parentControl_list_Info.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Stack overflow in the web interface function get_parentControl_list_Info via urls parameter enables remote exploitation of a public-facing application on the Tenda router for potential code execution.

CVEs Like This One

CVE-2025-25668Same product: Tenda Ac8
CVE-2025-25663Same product: Tenda Ac8
CVE-2025-25664Same product: Tenda Ac8
CVE-2026-2202Same product: Tenda Ac8
CVE-2024-57703Same product: Tenda Ac8
CVE-2024-57704Same product: Tenda Ac8
CVE-2025-51087Same product: Tenda Ac8
CVE-2025-12618Same product: Tenda Ac8
CVE-2026-4254Same product: Tenda Ac8
CVE-2025-29100Same product: Tenda Ac8

Affected Assets

tenda
ac8 firmware
16.03.34.06

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and limiting of the 'urls' parameter to prevent stack overflow from oversized or malformed inputs in get_parentControl_list_Info.

prevent

Implements memory protection mechanisms such as stack canaries or non-executable stacks to block arbitrary code execution from stack overflows.

prevent

Mandates identification, reporting, and correction of the specific stack overflow flaw in the router firmware to eliminate the vulnerability.

References