CVE-2025-63147 Overview
CVE-2025-63147 is a stack overflow vulnerability discovered in Tenda AX3 V16.03.12.10_CN firmware. The vulnerability exists in the deviceId parameter of the saveParentControlInfo function. When exploited, this flaw allows attackers to cause a Denial of Service (DoS) condition via a specially crafted request, potentially rendering the device unresponsive and disrupting network connectivity for all connected users.
Critical Impact
Attackers can remotely crash the Tenda AX3 router without authentication, causing network outages for all devices dependent on the router for connectivity.
Affected Products
- Tenda AX3 Firmware version 16.03.12.10_CN
- Tenda AX3 hardware devices running vulnerable firmware
Discovery Timeline
- 2025-11-10 - CVE-2025-63147 published to NVD
- 2025-11-18 - Last updated in NVD database
Technical Details for CVE-2025-63147
Vulnerability Analysis
This vulnerability is classified under CWE-787 (Out-of-bounds Write) and CWE-121 (Stack-based Buffer Overflow). The flaw resides in the saveParentControlInfo function within the Tenda AX3 firmware, which fails to properly validate the length of data passed through the deviceId parameter before copying it to a stack buffer.
When an attacker sends a request with an oversized or malformed deviceId value, the function writes beyond the allocated buffer boundaries on the stack. This overwrites critical stack data including return addresses and saved registers, leading to memory corruption that crashes the router's web management service or the device itself.
The attack can be executed remotely over the network without requiring authentication, making it particularly dangerous for internet-facing devices or those on compromised networks.
Root Cause
The root cause of this vulnerability is insufficient input validation in the saveParentControlInfo function. The firmware does not verify that the length of the deviceId parameter is within expected bounds before copying the data to a fixed-size stack buffer. This classic buffer overflow pattern allows an attacker to supply an excessively long input that overflows the buffer and corrupts adjacent memory.
Attack Vector
The vulnerability is exploited through network-based requests targeting the router's web management interface. An attacker crafts a malicious HTTP request to the saveParentControlInfo endpoint containing an oversized deviceId parameter value.
When the vulnerable function processes this request, the stack buffer overflow occurs, corrupting memory and causing the device to crash. Since no authentication is required to trigger this condition, any attacker with network access to the router's management interface can exploit this vulnerability.
The attack does not require user interaction and can be launched remotely, making it suitable for automated scanning and exploitation at scale against vulnerable Tenda AX3 devices.
Detection Methods for CVE-2025-63147
Indicators of Compromise
- Unexpected router reboots or service interruptions without apparent cause
- HTTP requests to the router management interface containing abnormally long deviceId parameter values
- Network logs showing repeated requests to the saveParentControlInfo endpoint from suspicious sources
- Crash logs or memory dump artifacts indicating stack corruption
Detection Strategies
- Monitor network traffic for HTTP requests to the router's management interface with unusually large parameter values
- Implement intrusion detection rules to flag requests to saveParentControlInfo with deviceId parameters exceeding normal length thresholds
- Configure alerting for router availability drops or unexpected service restarts
- Deploy network-based anomaly detection to identify potential DoS attack patterns targeting IoT devices
Monitoring Recommendations
- Enable logging on any firewall or security gateway protecting the router's management interface
- Monitor for high volumes of requests targeting the router's web interface from single sources
- Track device uptime and availability metrics to quickly identify DoS events
- Review network flow data for unusual traffic patterns targeting the Tenda AX3 device
How to Mitigate CVE-2025-63147
Immediate Actions Required
- Restrict access to the router's web management interface to trusted networks or IP addresses only
- Disable remote management features if not required
- Place the router behind a firewall that filters malicious traffic
- Monitor for firmware updates from Tenda that address this vulnerability
Patch Information
At the time of publication, no vendor-supplied patch has been confirmed for this vulnerability. Users should monitor Tenda's official support channels and the GitHub Vulnerability Report for updates. When a patched firmware version becomes available, apply it immediately following the manufacturer's upgrade procedures.
Workarounds
- Disable the web management interface and use only local console access if possible
- Configure firewall rules to block external access to the router's management ports (typically TCP/80 and TCP/443)
- Implement network segmentation to limit which hosts can reach the router's management interface
- Consider replacing the affected device with a router from a vendor with a more responsive security update process
# Example firewall rule to restrict management access (iptables)
# Allow management access only from trusted subnet 192.168.1.0/24
iptables -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
