Cyber Resilience

CVE-2025-55603

HighPublic PoC

Published: 22 August 2025

Published
22 August 2025
Modified
26 September 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0016 36.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55603 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Tenda Ax3 Firmware. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-55603 is a buffer overflow vulnerability (CWE-120) affecting the Tenda AX3 router on firmware version V16.03.12.10_CN. The flaw exists in the fromSetSysTime function, which mishandles the ntpServer parameter, leading to potential memory corruption. Published on 2025-08-22, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to availability impact.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation triggers a buffer overflow, resulting in a denial-of-service condition that crashes the affected device, disrupting network services without impacting confidentiality or integrity.

Advisories are available at https://github.com/wudipjq/my_vuln/blob/main/Tenda3/vuln_45/45.md, which provides further technical details on the vulnerability. No vendor patches or specific mitigation steps are detailed in the primary CVE information.

EU & UK References

Vulnerability details

Tenda AX3 V16.03.12.10_CN is vulnerable to Buffer Overflow in the fromSetSysTime function via the ntpServer parameter.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Buffer overflow in Tenda AX3 router's fromSetSysTime function via ntpServer parameter allows unauthenticated remote code execution, enabling exploitation of public-facing applications.

CVEs Like This One

CVE-2025-55605Same product: Tenda Ax3
CVE-2025-55606Same product: Tenda Ax3
CVE-2025-69766Same product: Tenda Ax3
CVE-2025-69764Same product: Tenda Ax3
CVE-2025-69763Same product: Tenda Ax3
CVE-2025-69762Same product: Tenda Ax3
CVE-2025-69765Same product: Tenda Ax3
CVE-2025-71026Same product: Tenda Ax3
CVE-2025-71027Same product: Tenda Ax3
CVE-2025-71024Same product: Tenda Ax3

Affected Assets

tenda
ax3 firmware
16.03.12.10_cn

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents buffer overflow by enforcing validation of the ntpServer parameter in the fromSetSysTime function.

prevent

Requires timely flaw remediation through firmware updates to eliminate the buffer overflow vulnerability.

prevent

Implements memory protection mechanisms to mitigate memory corruption from the buffer overflow exploitation.

References