CVE-2025-70644 Overview
A stack overflow vulnerability has been discovered in the Tenda AX-1806 router firmware version 1.0.0.1. The vulnerability exists in the time parameter of the sub_60CFC function, which fails to properly validate input length before copying data to a stack-based buffer. This vulnerability allows remote attackers to cause a Denial of Service (DoS) condition by sending specially crafted requests to the affected device.
Critical Impact
Remote attackers can crash the Tenda AX-1806 router without authentication, causing network disruption for all connected devices.
Affected Products
- Tenda AX-1806 v1.0.0.1
Discovery Timeline
- 2026-01-21 - CVE-2025-70644 published to NVD
- 2026-01-22 - Last updated in NVD database
Technical Details for CVE-2025-70644
Vulnerability Analysis
This vulnerability is classified as CWE-121 (Stack-based Buffer Overflow), a memory corruption flaw that occurs when data is written beyond the boundaries of a fixed-length buffer allocated on the stack. The sub_60CFC function in the Tenda AX-1806 firmware processes the time parameter without adequate bounds checking.
When an attacker sends a request with an oversized time parameter value, the function copies the data directly to a stack buffer without verifying that the input length does not exceed the buffer's capacity. This overwrites adjacent stack memory, corrupting critical data structures including the function's return address and saved frame pointer.
The vulnerability is exploitable over the network without requiring authentication or user interaction. However, in its current form, it primarily enables denial of service attacks rather than code execution, as the memory corruption leads to application crashes.
Root Cause
The root cause is improper input validation in the sub_60CFC function. The firmware fails to implement boundary checks on the time parameter before copying user-supplied input to a fixed-size stack buffer. This is a classic buffer overflow pattern where the developer assumed input would never exceed the allocated buffer size, violating secure coding principles for embedded systems.
Attack Vector
The attack can be executed remotely over the network. An unauthenticated attacker sends a crafted HTTP request to the router's web management interface with an excessively long time parameter value. The malicious input triggers the stack overflow in sub_60CFC, causing memory corruption that results in the router service crashing.
The attack requires no privileges, no user interaction, and can be executed from any network location that can reach the router's management interface. While the scope is unchanged (only the vulnerable component is affected), the availability impact is high as the device becomes unresponsive until manually restarted.
Detection Methods for CVE-2025-70644
Indicators of Compromise
- Unexpected router reboots or service interruptions
- Unusual HTTP requests with abnormally long time parameter values targeting the router's web interface
- Network connectivity loss for devices behind the affected Tenda AX-1806 router
- Log entries showing repeated crashes or restarts of the router management service
Detection Strategies
- Monitor network traffic for HTTP requests to Tenda AX-1806 routers containing abnormally large parameter values
- Implement network-based intrusion detection rules to flag requests with time parameters exceeding expected lengths
- Configure logging on network perimeter devices to capture requests targeting router management interfaces
- Deploy anomaly detection to identify unusual traffic patterns directed at embedded device management ports
Monitoring Recommendations
- Enable and regularly review router logs for crash events or unexpected restarts
- Monitor uptime metrics for Tenda AX-1806 devices across the network
- Implement network segmentation to limit exposure of router management interfaces
- Set up alerts for repeated connection failures to devices behind Tenda routers
How to Mitigate CVE-2025-70644
Immediate Actions Required
- Restrict access to the Tenda AX-1806 web management interface to trusted networks only
- Implement firewall rules to block external access to the router's administration ports
- Disable remote management features if not required for operations
- Monitor for firmware updates from Tenda that address this vulnerability
- Consider network segmentation to isolate affected devices
Patch Information
No official patch from Tenda has been confirmed at this time. Organizations should monitor Tenda's official support channels for firmware updates addressing CVE-2025-70644. Additional technical details about the vulnerability are available in the GitHub PoC Repository.
Workarounds
- Disable the web management interface on the WAN side of the router
- Use access control lists (ACLs) to restrict management access to specific IP addresses
- Place the router behind a firewall that can filter malicious requests
- Consider replacing vulnerable devices with alternatives if critical patches are not released
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
