CVE-2025-29121
Published: 20 March 2025
Summary
CVE-2025-29121 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Tenda Ac6 Firmware. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates the timeZone parameter in /goform/fast_setting_wifi_set to prevent stack-based buffer overflow from malformed inputs.
Implements memory safeguards such as stack canaries to protect against exploitation of the stack-based buffer overflow in Tenda AC6 firmware.
Ensures timely remediation and patching of the specific stack-based buffer overflow flaw in Tenda AC6 V15.03.05.16 firmware.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote unauthenticated stack buffer overflow in a public-facing web interface (/goform/fast_setting_wifi_set) on a router, directly enabling T1190 (Exploit Public-Facing Application). Exploitation results in denial-of-service via application crash, mapping to T1499.004 (Application or System Exploitation).
NVD Description
A vulnerability was found in Tenda AC6 V15.03.05.16. The vulnerability affects the functionality of the /goform/fast_setting_wifi_set file form_fast_setting_wifi_set. Using the timeZone parameter causes a stack-based buffer overflow.
Deeper analysisAI
CVE-2025-29121 is a stack-based buffer overflow vulnerability, classified under CWE-121, affecting Tenda AC6 routers on firmware version V15.03.05.16. The flaw exists in the /goform/fast_setting_wifi_set functionality, specifically triggered by the timeZone parameter in the form_fast_setting_wifi_set file.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable over the network with low attack complexity, requiring no privileges or user interaction. Unauthenticated attackers can send crafted requests to cause a stack-based buffer overflow, resulting in high availability impact through denial-of-service, such as crashing the affected router component.
References for CVE-2025-29121 point to GitHub repositories under Raining-101/IOT_cve, including details on the ac6_form_fast_setting_wifi_set timeZone parameter. No vendor advisories or patch information is detailed in the available data.
Details
- CWE(s)