CVE-2025-55603
Published: 22 August 2025
Summary
CVE-2025-55603 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Tenda Ax3 Firmware. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2025-55603 is a buffer overflow vulnerability (CWE-120) affecting the Tenda AX3 router on firmware version V16.03.12.10_CN. The flaw exists in the fromSetSysTime function, which mishandles the ntpServer parameter, leading to potential memory corruption. Published on 2025-08-22, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to availability impact.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation triggers a buffer overflow, resulting in a denial-of-service condition that crashes the affected device, disrupting network services without impacting confidentiality or integrity.
Advisories are available at https://github.com/wudipjq/my_vuln/blob/main/Tenda3/vuln_45/45.md, which provides further technical details on the vulnerability. No vendor patches or specific mitigation steps are detailed in the primary CVE information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-28603
Vulnerability details
Tenda AX3 V16.03.12.10_CN is vulnerable to Buffer Overflow in the fromSetSysTime function via the ntpServer parameter.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in Tenda AX3 router's fromSetSysTime function via ntpServer parameter allows unauthenticated remote code execution, enabling exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents buffer overflow by enforcing validation of the ntpServer parameter in the fromSetSysTime function.
Requires timely flaw remediation through firmware updates to eliminate the buffer overflow vulnerability.
Implements memory protection mechanisms to mitigate memory corruption from the buffer overflow exploitation.