CVE-2025-8958
Published: 14 August 2025
Summary
CVE-2025-8958 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Tx3 Firmware. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 20.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
A stack-based buffer overflow vulnerability, tracked as CVE-2025-8958, affects the Tenda TX3 wireless router running firmware version 16.03.13.11_multi_TDE01. The flaw resides in an unknown function within the /goform/fast_setting_wifi_set endpoint, where unsanitized input supplied to the ssid argument can overflow a stack buffer. The issue is identified under CWE-119 and CWE-121 and carries a CVSS 4.0 score of 7.4, reflecting network-accessible attack conditions with low complexity and no required user interaction.
An authenticated remote attacker can supply a crafted ssid value to trigger the overflow, potentially leading to arbitrary code execution or denial of service on the device. The vulnerability can be reached over the network without special preconditions beyond low-privileged access, and a working exploit has already been made public.
No vendor advisory or patch information is referenced in the available disclosures. The associated EPSS score remains flat at 0.0122 with no observed increase since publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-24686
Vulnerability details
A vulnerability was identified in Tenda TX3 16.03.13.11_multi_TDE01. Affected by this vulnerability is an unknown functionality of the file /goform/fast_setting_wifi_set. The manipulation of the argument ssid leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has…
more
been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The unauthenticated remote stack-based buffer overflow in the Tenda TX3 router's /goform/fast_setting_wifi_set web interface allows attackers to crash the device, enabling endpoint denial of service through application exploitation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents stack-based buffer overflows by validating the 'ssid' argument in the /goform/fast_setting_wifi_set endpoint against expected bounds and formats.
Implements memory protections such as stack canaries, ASLR, and DEP to mitigate exploitation of stack-based buffer overflows for arbitrary code execution.
Requires timely remediation of the identified buffer overflow flaw through firmware updates for the Tenda TX3 router.