CVE-2025-9299
Published: 21 August 2025
Summary
CVE-2025-9299 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda M3 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of the manipulated 'Time' argument in the /goform/getMasterPassengerAnalyseData endpoint to directly prevent the stack-based buffer overflow.
Implements memory protections such as stack canaries, ASLR, and DEP to mitigate exploitation of the stack buffer overflow vulnerability.
Mandates timely remediation of identified flaws like CVE-2025-9299 through patching or workarounds for the affected Tenda M3 firmware.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in a public web endpoint (/goform/getMasterPassengerAnalyseData) directly enables remote exploitation of a network device for code execution (T1190).
NVD Description
A vulnerability has been found in Tenda M3 1.0.0.12. Affected by this vulnerability is the function formGetMasterPassengerAnalyseData of the file /goform/getMasterPassengerAnalyseData. The manipulation of the argument Time leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit…
more
has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-9299 is a stack-based buffer overflow vulnerability affecting the Tenda M3 router on firmware version 1.0.0.12. The flaw exists in the formGetMasterPassengerAnalyseData function, processed via the /goform/getMasterPassengerAnalyseData endpoint. It is triggered by manipulating the Time argument, as documented under CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).
The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network with low complexity and low privileges required, without user interaction. An attacker with low-privilege access, such as an authenticated user, can send a crafted request to overflow the stack, potentially achieving high impacts on confidentiality, integrity, and availability, including arbitrary code execution.
Advisories and references, including VulDB entries (CTI ID 320904, ID 320904) and a GitHub repository, detail the vulnerability and provide a proof-of-concept exploit. The exploit has been publicly disclosed, but no vendor patches or specific mitigation steps are mentioned in the available sources. Security practitioners should isolate affected devices and monitor for anomalous traffic to the endpoint.
Details
- CWE(s)