CVE-2025-8958
Published: 14 August 2025
Summary
CVE-2025-8958 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Tx3 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 39.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents stack-based buffer overflows by validating the 'ssid' argument in the /goform/fast_setting_wifi_set endpoint against expected bounds and formats.
Implements memory protections such as stack canaries, ASLR, and DEP to mitigate exploitation of stack-based buffer overflows for arbitrary code execution.
Requires timely remediation of the identified buffer overflow flaw through firmware updates for the Tenda TX3 router.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The unauthenticated remote stack-based buffer overflow in the Tenda TX3 router's /goform/fast_setting_wifi_set web interface allows attackers to crash the device, enabling endpoint denial of service through application exploitation.
NVD Description
A vulnerability was identified in Tenda TX3 16.03.13.11_multi_TDE01. Affected by this vulnerability is an unknown functionality of the file /goform/fast_setting_wifi_set. The manipulation of the argument ssid leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has…
more
been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-8958 is a stack-based buffer overflow vulnerability affecting the Tenda TX3 router running firmware version 16.03.13.11_multi_TDE01. The issue resides in an unknown functionality of the /goform/fast_setting_wifi_set endpoint, where manipulation of the 'ssid' argument triggers the overflow. It is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerability was published on 2025-08-14.
An attacker with low privileges (such as an authenticated user) can exploit this remotely over the network with low complexity and no user interaction required. Successful exploitation of the buffer overflow could result in high-impact confidentiality, integrity, and availability violations, potentially allowing arbitrary code execution, data compromise, or denial of service on the affected device.
Advisories and additional details are documented in references including VULDB entries (ctiid.319927, id.319927, submit.627861, submit.628117) and a GitHub issue at alc9700jmo/CVE/issues/16. The exploit has been publicly disclosed and may be used by attackers. No specific patch information is detailed in the available data.
Details
- CWE(s)