CVE-2025-68706

Critical

Published: 29 December 2025

Published

29 December 2025

Modified

15 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0019 41.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-68706 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Kuwfi Ac900 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation and bounds checking of user-supplied pincode input to prevent stack buffer overflow in the /goform/formMultiApnSetting handler.

SI-16 Memory Protection good match

prevent

Provides memory protection mechanisms such as stack canaries and non-executable stacks to block exploitation of the stack-based buffer overflow.

SI-2 Flaw Remediation good match

prevent

Ensures timely flaw remediation by patching the unsafe sprintf usage without bounds checks in the GoAhead-Webs HTTP daemon.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unauthenticated stack-based buffer overflow in public-facing HTTP daemon (/goform/formMultiApnSetting) exploitable via crafted HTTP request for DoS or potential RCE, directly enabling T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A stack-based buffer overflow exists in the GoAhead-Webs HTTP daemon on KuWFi 4G LTE AC900 devices with firmware 1.0.13. The /goform/formMultiApnSetting handler uses sprintf() to copy the user-supplied pincode parameter into a fixed 132-byte stack buffer with no bounds checks.…

This allows an attacker to corrupt adjacent stack memory, crash the web server, and (under certain conditions) may enable arbitrary code execution.

Deeper analysisAI

CVE-2025-68706 is a stack-based buffer overflow vulnerability in the GoAhead-Webs HTTP daemon on KuWFi 4G LTE AC900 devices with firmware version 1.0.13. The issue resides in the /goform/formMultiApnSetting handler, which employs sprintf() to copy the user-supplied pincode parameter into a fixed 132-byte stack buffer without bounds checking, as classified under CWE-121 (Stack-based Buffer Overflow). Published on 2025-12-29, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

An unauthenticated attacker with network access can exploit this vulnerability by submitting a specially crafted HTTP request containing an overly long pincode parameter. This triggers buffer overflow, corrupting adjacent stack memory and enabling denial-of-service via web server crashes. Under certain conditions, the overflow may facilitate arbitrary code execution.

Advisories and additional details are available via the provided references, including a technical report at https://drive.proton.me/urls/HJCJYAC7JM#XtHcm3P7QaYk, exploit details in https://github.com/actuator/cve/blob/main/Kuwfi/CVE-2025-68706.txt, related repository at https://github.com/actuator/cve/tree/main/Kuwfi, and product information at https://kuwfi.com/products/kuwfi-gigabit-wireless-router-4g-lte-wifi-router-dual-band-portable-wifi-modem-hotspot-64-user-with-gigabit-wan-lan-rj11-port. No specific patches or mitigations are detailed in the primary description.