CVE-2025-25667
Published: 20 February 2025
Summary
CVE-2025-25667 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Tenda Ac8 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2025-25667 is a stack overflow vulnerability (CWE-120) in Tenda AC8V4 routers running firmware version V16.03.34.06. The flaw occurs in the get_parentControl_list_Info function when processing the urls parameter, allowing buffer overflow conditions that can corrupt the stack.
The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical), with attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction needed (UI:N), and unchanged scope (S:U), resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H). Unauthenticated remote attackers can exploit this over the network to potentially achieve arbitrary code execution, data disclosure, modification of router settings, or denial-of-service by crashing the device.
Additional technical details, including a proof-of-concept, are documented in a GitHub repository at https://github.com/jangfan/my-vuln/blob/main/Tenda/AC8V4/saveParentControlInfo.md. No vendor advisories or patches are referenced in available information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4506
Vulnerability details
Tenda AC8V4 V16.03.34.06 was discovered to contain a stack overflow via the urls parameter in the function get_parentControl_list_Info.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack overflow in the web interface function get_parentControl_list_Info via urls parameter enables remote exploitation of a public-facing application on the Tenda router for potential code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and limiting of the 'urls' parameter to prevent stack overflow from oversized or malformed inputs in get_parentControl_list_Info.
Implements memory protection mechanisms such as stack canaries or non-executable stacks to block arbitrary code execution from stack overflows.
Mandates identification, reporting, and correction of the specific stack overflow flaw in the router firmware to eliminate the vulnerability.