CVE-2025-55605
Published: 22 August 2025
Summary
CVE-2025-55605 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Tenda Ax3 Firmware. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-55605 is a buffer overflow vulnerability affecting the Tenda AX3 router running firmware version V16.03.12.10_CN. The issue resides in the saveParentControlInfo function, which can be triggered via the deviceName parameter. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')).
A remote, unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation leads to a denial of service condition due to the high availability impact, potentially causing the device to crash or reboot, while confidentiality and integrity remain unaffected.
Advisories detailing the vulnerability are available in GitHub repositories at https://github.com/wudipjq/my_vuln/blob/main/Tenda3/vuln_46/46.md. No specific patch or mitigation details beyond these sources are provided in the CVE publication dated 2025-08-22.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-25541
Vulnerability details
Tenda AX3 V16.03.12.10_CN is vulnerable to Buffer Overflow in the saveParentControlInfo function via the deviceName parameter.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in the saveParentControlInfo function via deviceName parameter in Tenda AX3 router's web interface enables remote code execution by exploiting a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly addresses the buffer overflow vulnerability by identifying, prioritizing, and applying patches or updates to the affected Tenda AX3 firmware.
Information input validation enforces checks on the size and format of the deviceName parameter to prevent the classic buffer overflow in saveParentControlInfo.
Memory protection mechanisms such as stack canaries, ASLR, and non-executable memory mitigate exploitation of the buffer overflow, reducing the likelihood of successful DoS crashes.