CVE-2025-55605

HighPublic PoC

Published: 22 August 2025

Published

22 August 2025

Modified

26 September 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0013 32.1th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55605 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Tenda Ax3 Firmware. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190).

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SC-27 Platform-independent Applications

addresses: CWE-120

Platform-independent managed code eliminates the need for unchecked native buffer copies that are the root cause of classic buffer overflows.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Buffer overflow in the saveParentControlInfo function via deviceName parameter in Tenda AX3 router's web interface enables remote code execution by exploiting a public-facing application.

NVD Description

Tenda AX3 V16.03.12.10_CN is vulnerable to Buffer Overflow in the saveParentControlInfo function via the deviceName parameter.

Deeper analysisAI

CVE-2025-55605 is a buffer overflow vulnerability affecting the Tenda AX3 router running firmware version V16.03.12.10_CN. The issue resides in the saveParentControlInfo function, which can be triggered via the deviceName parameter. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')).

A remote, unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation leads to a denial of service condition due to the high availability impact, potentially causing the device to crash or reboot, while confidentiality and integrity remain unaffected.

Advisories detailing the vulnerability are available in GitHub repositories at https://github.com/wudipjq/my_vuln/blob/main/Tenda3/vuln_46/46.md. No specific patch or mitigation details beyond these sources are provided in the CVE publication dated 2025-08-22.

Details

CWE(s): CWE-120

Affected Products

tenda

ax3 firmware

16.03.12.10_cn

CVEs Like This One

CVE-2025-55606Same product: Tenda Ax3

CVE-2025-55603Same product: Tenda Ax3

CVE-2025-69763Same product: Tenda Ax3

CVE-2025-69762Same product: Tenda Ax3

CVE-2025-69765Same product: Tenda Ax3

CVE-2025-69764Same product: Tenda Ax3

CVE-2025-69766Same product: Tenda Ax3

CVE-2025-71024Same product: Tenda Ax3

CVE-2025-71023Same product: Tenda Ax3

CVE-2025-71026Same product: Tenda Ax3

References

https://github.com/wudipjq/my_vuln/blob/main/Tenda3/vuln_46/46.md
Exploit, Third Party Advisory · cve@mitre.org
https://github.com/wudipjq/my_vuln/blob/main/Tenda3/vuln_46/46.md
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0