CVE-2025-69764: Tenda AX3 Firmware RCE Vulnerability

CVE-2025-69764 Overview

CVE-2025-69764 is a stack-based buffer overflow [CWE-121] affecting Tenda AX3 routers running firmware version 16.03.12.11. The flaw resides in the formGetIptv function, where the stbpvid stack buffer is handled without proper bounds checking. An unauthenticated remote attacker can send a crafted HTTP request to corrupt stack memory and achieve remote code execution on the device.

Critical Impact

Unauthenticated attackers on the network can corrupt router memory and execute arbitrary code, leading to full compromise of the device and the network behind it.

Affected Products

• Tenda AX3 router (hardware)
• Tenda AX3 firmware version 16.03.12.11
• Deployments exposing the web management interface to untrusted networks

Discovery Timeline

• 2026-01-22 - CVE-2025-69764 published to the National Vulnerability Database
• 2026-01-26 - Last updated in NVD database

Technical Details for CVE-2025-69764

Vulnerability Analysis

The vulnerability lives inside the formGetIptv handler exposed by the Tenda AX3 web management interface. The handler parses IPTV configuration parameters submitted through HTTP form requests. One of those parameters, stbpvid, is copied into a fixed-size stack buffer without validating the attacker-supplied length.

When the supplied value exceeds the buffer size, adjacent stack data including the saved return address is overwritten. The attacker controls the overflow content, so the saved return address can be redirected to attacker-controlled code or to gadgets already present in the firmware image. Successful exploitation yields code execution in the context of the web server process, which on Tenda devices typically runs with root privileges.

Because the issue is reachable before authentication on many Tenda AX3 firmware builds and requires only a single HTTP request, it is well-suited for mass scanning and worm-style propagation across exposed routers.

Root Cause

The root cause is improper handling of the stbpvid parameter inside formGetIptv. The function relies on unchecked string-copy semantics rather than bounded copy routines, allowing user input from the HTTP request body to overflow a stack buffer. This pattern is consistent with [CWE-121: Stack-based Buffer Overflow].

Attack Vector

Exploitation is performed over the network against the router's HTTP management service. The attacker crafts a POST request to the IPTV configuration endpoint and supplies an oversized stbpvid value. No credentials and no user interaction are required. Technical analysis of the overflow path is described in the Notion Analysis on Tenda AX3.

No public proof-of-concept exploit code is referenced in the NVD entry, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The current EPSS probability is 0.156%.

Detection Methods for CVE-2025-69764

Indicators of Compromise

• HTTP POST requests to IPTV configuration endpoints containing abnormally long stbpvid parameter values
• Unexpected reboots or crashes of the Tenda AX3 web management daemon
• Outbound connections from the router to unknown hosts shortly after IPTV configuration traffic
• DNS or routing configuration changes on the router that were not made by an administrator

Detection Strategies

• Inspect HTTP traffic destined for the router management interface and flag requests where stbpvid exceeds expected length boundaries
• Correlate router-originated outbound traffic against baselines, since a compromised router should not initiate arbitrary external connections
• Monitor for repeated connection attempts to TCP port 80 or 443 of internal router IPs from non-administrative hosts

Monitoring Recommendations

• Centralize syslog from Tenda AX3 devices and alert on web service restarts or segmentation faults
• Track firmware versions across the fleet and alert when devices remain on 16.03.12.11
• Capture north-south and east-west traffic involving router management interfaces for retrospective hunting

How to Mitigate CVE-2025-69764

Immediate Actions Required

• Restrict access to the Tenda AX3 web management interface to trusted management VLANs only
• Disable remote (WAN-side) management on all affected devices until a fixed firmware is available
• Audit IPTV configuration settings and reset them if tampering is suspected
• Replace devices that are end-of-support or that cannot receive a vendor patch

Patch Information

No vendor advisory or fixed firmware version is referenced in the NVD entry for CVE-2025-69764 at the time of publication. Administrators should monitor the Tenda support portal for an updated firmware release that supersedes 16.03.12.11 and apply it as soon as it becomes available.

Workarounds

• Place affected routers behind an upstream firewall and block inbound connections to their management ports
• Segment IoT and consumer-grade networking equipment away from sensitive corporate assets
• Use an upstream device for IPTV processing where feasible, reducing reliance on the vulnerable formGetIptv handler
• Disable any port-forwarding rules that expose the router web interface to the internet

# Example: block external access to the router management interface
# Adjust ROUTER_IP and WAN_IFACE to match your environment
iptables -I INPUT  -i $WAN_IFACE -p tcp --dport 80  -j DROP
iptables -I INPUT  -i $WAN_IFACE -p tcp --dport 443 -j DROP
iptables -I FORWARD -d $ROUTER_IP -p tcp -m multiport --dports 80,443 -j DROP