CVE-2025-0349 Overview
A critical stack-based buffer overflow vulnerability has been identified in Tenda AC6 router firmware version 15.03.05.16. The vulnerability exists in the GetParentControlInfo function located in the /goform/GetParentControlInfo file. Attackers can exploit this flaw by manipulating the src or mac arguments, potentially leading to remote code execution or device compromise. The exploit has been publicly disclosed, and other parameters within this function may also be affected.
Critical Impact
This stack-based buffer overflow vulnerability allows remote attackers to execute arbitrary code or crash the affected Tenda AC6 routers, potentially compromising network security and enabling further attacks on connected devices.
Affected Products
- Tenda AC6 Firmware version 15.03.05.16
- Tenda AC6 Hardware Device
- Tenda AC6 Router (all configurations running vulnerable firmware)
Discovery Timeline
- 2025-01-09 - CVE-2025-0349 published to NVD
- 2025-03-22 - Last updated in NVD database
Technical Details for CVE-2025-0349
Vulnerability Analysis
This vulnerability is a stack-based buffer overflow (CWE-787: Out-of-bounds Write, CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer) affecting the Tenda AC6 router's web interface. The vulnerable GetParentControlInfo function fails to properly validate the length of user-supplied input for the src and mac parameters before copying the data to a fixed-size stack buffer.
When an attacker submits an overly long string through the vulnerable endpoint, the function writes data beyond the allocated buffer space on the stack. This overwrites adjacent memory including return addresses, potentially allowing an attacker to hijack the execution flow. As a network-accessible vulnerability requiring low-privilege access and no user interaction, exploitation is relatively straightforward once an attacker has network access to the router's management interface.
Root Cause
The root cause is insufficient input validation and lack of bounds checking in the GetParentControlInfo function. The firmware does not verify that the src and mac parameter values conform to expected length constraints before processing them. This allows oversized input to overflow the stack buffer, corrupting adjacent memory regions and potentially overwriting critical control data such as the function's return pointer.
Attack Vector
The attack can be executed remotely over the network by sending a crafted HTTP request to the /goform/GetParentControlInfo endpoint on the router's web management interface. An attacker with low-level authenticated access to the router can submit maliciously crafted values for the src or mac parameters containing excessive data.
The exploitation flow typically involves:
- Identifying a Tenda AC6 router running firmware version 15.03.05.16
- Accessing the router's web management interface
- Sending a crafted HTTP request to /goform/GetParentControlInfo with an oversized src or mac parameter
- The buffer overflow corrupts stack memory, potentially overwriting the return address
- The attacker gains control of program execution, enabling arbitrary code execution
Technical details about the vulnerability mechanism can be found in the GitHub CVE Issue Discussion and VulDB #290862.
Detection Methods for CVE-2025-0349
Indicators of Compromise
- Unexpected HTTP requests to /goform/GetParentControlInfo with abnormally long src or mac parameter values
- Router crashes, reboots, or unusual behavior following web management interface access
- Unauthorized configuration changes on the router
- Unexpected outbound network connections from the router device
Detection Strategies
- Deploy network monitoring to detect HTTP requests to /goform/GetParentControlInfo with unusually large payloads
- Monitor for repeated connection attempts to the router's web management interface from unknown sources
- Implement IDS/IPS rules to flag HTTP POST requests to Tenda router endpoints containing oversized parameters
- Review router logs for signs of exploitation attempts or unexpected service restarts
Monitoring Recommendations
- Enable logging on network devices to capture all traffic to/from the Tenda AC6 router management interface
- Monitor for firmware integrity changes or unexpected configuration modifications
- Set up alerts for router reboots or service interruptions that could indicate successful exploitation
- Implement network segmentation monitoring to detect lateral movement from compromised IoT devices
How to Mitigate CVE-2025-0349
Immediate Actions Required
- Restrict access to the router's web management interface to trusted IP addresses only
- Disable remote management features if not required
- Place the router's management interface on a separate, isolated network segment
- Monitor network traffic for signs of exploitation attempts
- Consider replacing the device with a supported model if no firmware update is available
Patch Information
At the time of publication, no official patch from Tenda has been identified for this vulnerability. Users should check the Tenda Official Website for firmware updates. Given the public disclosure of this vulnerability, it is critical to implement workarounds until an official fix becomes available.
Workarounds
- Disable remote administration and limit web interface access to wired LAN connections only
- Implement firewall rules to block external access to the router's management ports (typically TCP port 80/443)
- Use a VPN for any remote administration needs rather than exposing the management interface directly
- Consider deploying a hardware firewall in front of the affected router to filter malicious requests
- Schedule regular monitoring of Tenda security advisories and VulDB for updates on this vulnerability
# Example firewall rule to block external access to router management (on upstream firewall)
iptables -A FORWARD -d <router_ip> -p tcp --dport 80 -j DROP
iptables -A FORWARD -d <router_ip> -p tcp --dport 443 -j DROP
# Restrict management interface access to specific trusted IP
iptables -A INPUT -s <trusted_admin_ip> -d <router_ip> -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -d <router_ip> -p tcp --dport 80 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
