Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-70648

CVE-2025-70648: Tenda AX1803 Firmware DoS Vulnerability

CVE-2025-70648 is a stack overflow DoS vulnerability in Tenda AX1803 Firmware affecting the security_5g parameter. Attackers can exploit this flaw to cause service disruption. This article covers technical details, impact, and mitigation.

Updated:

CVE-2025-70648 Overview

CVE-2025-70648 is a stack overflow vulnerability in Tenda AX1803 routers running firmware version 1.0.0.1. The flaw resides in the sub_727F4 function, which improperly handles the security_5g parameter. A remote, unauthenticated attacker can send a crafted request that overflows the stack buffer and crashes the device, resulting in a Denial of Service (DoS). The vulnerability is classified as a stack-based buffer overflow [CWE-121]. No vendor patch has been published in the available references at the time of writing.

Critical Impact

Unauthenticated network attackers can remotely crash Tenda AX1803 routers, disrupting connectivity for all downstream clients.

Affected Products

  • Tenda AX1803 router (hardware)
  • Tenda AX1803 firmware version 1.0.0.1
  • Deployments exposing the router web management interface to untrusted networks

Discovery Timeline

  • 2026-01-21 - CVE-2025-70648 published to NVD
  • 2026-01-26 - Last updated in NVD database

Technical Details for CVE-2025-70648

Vulnerability Analysis

The vulnerability exists in the sub_727F4 function within the Tenda AX1803 firmware. The function processes the security_5g HTTP request parameter without enforcing length validation before copying it into a fixed-size stack buffer. An attacker submits an oversized value, and the copy operation writes past the buffer boundary, corrupting adjacent stack memory including saved return addresses.

The corrupted stack causes the responsible service process to crash. On embedded routers, this typically halts the web management daemon and associated networking functions, severing service for connected clients until the device is rebooted or restored. The flaw is reachable across the network and requires no authentication or user interaction.

Root Cause

The root cause is missing bounds checking on attacker-controlled input. The sub_727F4 function trusts the length of the security_5g parameter and uses an unsafe copy operation into a fixed stack buffer. This pattern matches [CWE-121] Stack-based Buffer Overflow.

Attack Vector

An attacker sends a crafted HTTP request to the router management interface containing an oversized security_5g parameter value. The vulnerable function copies the value into a fixed stack buffer, overflowing it and crashing the process. Exploitation requires only network reach to the router's web interface. Refer to the GitHub Vulnerability Analysis for technical details.

Detection Methods for CVE-2025-70648

Indicators of Compromise

  • Unexpected reboots or crashes of the Tenda AX1803 router followed by loss of LAN and Wi-Fi connectivity
  • HTTP POST or GET requests to the router management interface containing unusually long security_5g parameter values
  • Repeated failed connections to the router web administration port from a single external or internal source

Detection Strategies

  • Inspect HTTP traffic destined for the router management interface and flag requests with security_5g parameter values exceeding expected length thresholds
  • Monitor router uptime and service availability metrics for abnormal restarts correlated with inbound HTTP traffic spikes
  • Correlate network logs with router syslog output to identify malformed administrative requests preceding outages

Monitoring Recommendations

  • Enable syslog forwarding from the router to a centralized log collector for retention and analysis
  • Alert on repeated TCP connections to ports 80 and 443 of the router from non-administrative sources
  • Track baseline router availability and trigger investigation on deviations exceeding normal restart frequency

How to Mitigate CVE-2025-70648

Immediate Actions Required

  • Restrict access to the router web management interface to trusted internal management subnets only
  • Disable remote WAN-side administration if currently enabled on the AX1803
  • Place affected routers behind upstream filtering that drops malformed HTTP requests targeting administrative endpoints

Patch Information

No vendor advisory or firmware patch is listed in the available references for CVE-2025-70648. Monitor the Tenda support site and the GitHub Vulnerability Analysis for updates. Apply firmware updates as soon as Tenda releases a fixed version superseding 1.0.0.1.

Workarounds

  • Segment the router management VLAN from user networks and block administrative ports at the network boundary
  • Replace the AX1803 with a supported device if a firmware fix is not made available by the vendor
  • Reboot the device to restore service after a crash and investigate the source of the crafted request
bash
# Example firewall rule to restrict router admin access to a management host
iptables -A INPUT -p tcp --dport 80 -s 192.0.2.10 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 192.0.2.10 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.