CVE-2025-70650: Tenda AX-1806 Stack Overflow DoS Vulnerability

CVE-2025-70650 Overview

CVE-2025-70650 is a stack overflow vulnerability discovered in the Tenda AX-1806 router firmware version 1.0.0.1. The vulnerability exists in the deviceList parameter of the formSetMacFilterCfg function, which is used for MAC address filtering configuration. When exploited, this vulnerability allows remote attackers to cause a Denial of Service (DoS) condition by sending specially crafted HTTP requests to the affected device.

This vulnerability is classified under CWE-121 (Stack-based Buffer Overflow), which occurs when a program writes more data to a buffer on the stack than is actually allocated, potentially corrupting adjacent memory and causing the application to crash or behave unexpectedly.

Critical Impact

Remote attackers can crash the Tenda AX-1806 router without authentication, disrupting network connectivity for all connected devices and potentially requiring manual intervention to restore service.

Affected Products

• Tenda AX-1806 firmware version 1.0.0.1
• Tenda AX-1806 routers with vulnerable web management interface

Discovery Timeline

• 2026-01-21 - CVE-2025-70650 published to NVD
• 2026-01-21 - Last updated in NVD database

Technical Details for CVE-2025-70650

Vulnerability Analysis

The stack overflow vulnerability resides in the formSetMacFilterCfg function, which handles MAC address filtering configuration on the Tenda AX-1806 router. This function processes user-supplied input through the deviceList parameter without proper bounds checking, allowing an attacker to overflow the stack buffer allocated for this data.

When the deviceList parameter receives input that exceeds the expected buffer size, the excess data overwrites adjacent stack memory. In this case, the overflow results in corruption of critical stack data, leading to application crash and denial of service. The vulnerability is network-accessible, meaning attackers can exploit it remotely without requiring authentication or user interaction.

The impact is limited to availability—the vulnerability does not allow for arbitrary code execution or information disclosure based on the available technical analysis. However, successful exploitation will render the router unresponsive, requiring a manual reboot to restore functionality.

Root Cause

The root cause of this vulnerability is insufficient input validation in the formSetMacFilterCfg function. The function fails to verify that the length of the deviceList parameter data fits within the allocated stack buffer before copying it. This is a classic stack-based buffer overflow scenario where fixed-size stack buffers are used without corresponding length checks on user-controllable input.

The vulnerable code path likely uses unsafe string manipulation functions or fails to implement proper size constraints when processing the MAC filter device list data from HTTP POST requests.

Attack Vector

The attack can be executed remotely over the network by sending a crafted HTTP request to the router's web management interface. The attacker constructs a request to the MAC filtering configuration endpoint with an oversized deviceList parameter value. This parameter is processed by the formSetMacFilterCfg function, triggering the stack overflow.

The exploitation does not require authentication, making any Tenda AX-1806 router with an exposed web management interface potentially vulnerable. The attack results in immediate denial of service as the router's web service crashes. Technical details and proof of concept information can be found in the GitHub Vulnerability Report.

Detection Methods for CVE-2025-70650

Indicators of Compromise

• Unexpected router reboots or web interface unavailability
• Abnormally large HTTP POST requests to MAC filtering configuration endpoints
• Network traffic containing unusually long deviceList parameter values
• Log entries showing crashes or segmentation faults in the web server process

Detection Strategies

• Monitor HTTP traffic to the router's management interface for requests with oversized parameters
• Implement network intrusion detection rules to identify malformed requests targeting formSetMacFilterCfg
• Deploy anomaly detection for requests containing excessive data in POST body parameters
• Monitor device availability and trigger alerts on unexpected service disruptions

Monitoring Recommendations

• Enable logging on network firewalls to capture traffic to router management interfaces
• Implement regular health checks on network infrastructure devices to detect DoS conditions
• Review access logs for the router web interface for unusual request patterns
• Consider deploying network monitoring tools to baseline normal traffic and detect anomalies

How to Mitigate CVE-2025-70650

Immediate Actions Required

• Restrict access to the router's web management interface to trusted networks only
• Disable remote management access if not required for operations
• Implement firewall rules to block external access to the router's HTTP/HTTPS ports
• Monitor for firmware updates from Tenda that address this vulnerability

Patch Information

As of the publication date, no official patch information has been released by Tenda for this vulnerability. Users should monitor Tenda's official support channels and firmware download pages for security updates addressing CVE-2025-70650. The vulnerability details are documented in the GitHub Vulnerability Report.

Workarounds

• Restrict management interface access to local network only
• Use firewall rules to limit which IP addresses can access the router's web interface
• Consider placing the router behind a network firewall that can filter malicious requests
• If possible, use alternative firmware or consider replacing vulnerable devices in critical environments

# Example firewall rule to restrict management access (iptables)
# Block external access to router management ports
iptables -A INPUT -p tcp --dport 80 -s ! 192.168.1.0/24 -j DROP
iptables -A INPUT -p tcp --dport 443 -s ! 192.168.1.0/24 -j DROP