Cyber Resilience

CVE-2025-55605

HighPublic PoC

Published: 22 August 2025

Published
22 August 2025
Modified
26 September 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0016 36.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55605 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Tenda Ax3 Firmware. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-55605 is a buffer overflow vulnerability affecting the Tenda AX3 router running firmware version V16.03.12.10_CN. The issue resides in the saveParentControlInfo function, which can be triggered via the deviceName parameter. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')).

A remote, unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation leads to a denial of service condition due to the high availability impact, potentially causing the device to crash or reboot, while confidentiality and integrity remain unaffected.

Advisories detailing the vulnerability are available in GitHub repositories at https://github.com/wudipjq/my_vuln/blob/main/Tenda3/vuln_46/46.md. No specific patch or mitigation details beyond these sources are provided in the CVE publication dated 2025-08-22.

EU & UK References

Vulnerability details

Tenda AX3 V16.03.12.10_CN is vulnerable to Buffer Overflow in the saveParentControlInfo function via the deviceName parameter.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Buffer overflow in the saveParentControlInfo function via deviceName parameter in Tenda AX3 router's web interface enables remote code execution by exploiting a public-facing application.

CVEs Like This One

CVE-2025-55603Same product: Tenda Ax3
CVE-2025-55606Same product: Tenda Ax3
CVE-2025-69766Same product: Tenda Ax3
CVE-2025-69764Same product: Tenda Ax3
CVE-2025-69763Same product: Tenda Ax3
CVE-2025-69762Same product: Tenda Ax3
CVE-2025-69765Same product: Tenda Ax3
CVE-2025-71026Same product: Tenda Ax3
CVE-2025-71027Same product: Tenda Ax3
CVE-2025-71024Same product: Tenda Ax3

Affected Assets

tenda
ax3 firmware
16.03.12.10_cn

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly addresses the buffer overflow vulnerability by identifying, prioritizing, and applying patches or updates to the affected Tenda AX3 firmware.

prevent

Information input validation enforces checks on the size and format of the deviceName parameter to prevent the classic buffer overflow in saveParentControlInfo.

prevent

Memory protection mechanisms such as stack canaries, ASLR, and non-executable memory mitigate exploitation of the buffer overflow, reducing the likelihood of successful DoS crashes.

References