CVE-2025-7418
Published: 10 July 2025
Summary
CVE-2025-7418 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda O3 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of inputs like the destIP argument at the /goform/setPing endpoint, directly preventing the stack-based buffer overflow from improper input handling.
SI-2 mandates identification, reporting, and correction of flaws such as this publicly disclosed buffer overflow vulnerability through timely patching and vulnerability scanning.
SI-16 implements memory safeguards like stack canaries or DEP to protect against exploitation of stack-based buffer overflows leading to arbitrary code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remotely exploitable stack-based buffer overflow in the httpd web interface (/goform/setPing) of the Tenda O3V2 router, enabling adversaries to gain initial access by exploiting a public-facing application. Public PoC available.
NVD Description
A vulnerability was found in Tenda O3V2 1.0.0.12(3880) and classified as critical. Affected by this issue is the function fromPingResultGet of the file /goform/setPing of the component httpd. The manipulation of the argument destIP leads to stack-based buffer overflow. The…
more
attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-7418 is a critical stack-based buffer overflow vulnerability affecting the Tenda O3V2 router running firmware version 1.0.0.12(3880). The issue resides in the fromPingResultGet function within the /goform/setPing endpoint of the httpd component, where manipulation of the destIP argument triggers the overflow. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow). The vulnerability was publicly disclosed on 2025-07-10.
The vulnerability can be exploited remotely by an attacker with low privileges, such as an authenticated user on the device. By sending a specially crafted request to the /goform/setPing endpoint with a malicious destIP value, the attacker triggers the buffer overflow, potentially leading to arbitrary code execution, full compromise of confidentiality, integrity, and availability (high impact across C/I/A), without requiring user interaction.
References, including GitHub repositories and VulDB entries, provide details on the vulnerability and a proof-of-concept exploit but do not specify official patches, vendor advisories, or mitigation steps beyond general recommendations to avoid untrusted inputs.
A publicly available exploit POC has been disclosed, increasing the risk of active exploitation against unpatched Tenda O3V2 devices.
Details
- CWE(s)