CVE-2025-70744 Overview
CVE-2025-70744 is a stack-based buffer overflow vulnerability affecting Tenda AX-1806 v1.0.0.1 routers. The flaw resides in the sub_65B5C function, where the cloneType parameter is processed without proper bounds checking. A remote attacker can submit a crafted HTTP request containing an oversized cloneType value to trigger the overflow. Successful exploitation causes the device to crash, resulting in a Denial of Service (DoS) condition. The vulnerability is categorized under [CWE-121] Stack-based Buffer Overflow and requires no authentication or user interaction.
Critical Impact
Unauthenticated remote attackers can crash Tenda AX-1806 routers by sending a single malformed HTTP request, disrupting network connectivity for all downstream users.
Affected Products
- Tenda AX-1806 router (hardware)
- Tenda AX-1806 firmware version 1.0.0.1
- Devices exposing the vulnerable web management interface
Discovery Timeline
- 2026-01-15 - CVE-2025-70744 published to the National Vulnerability Database (NVD)
- 2026-01-20 - Last updated in NVD database
Technical Details for CVE-2025-70744
Vulnerability Analysis
The vulnerability exists in the sub_65B5C function within the Tenda AX-1806 firmware. This function handles request data containing the cloneType parameter, which is typically associated with MAC address cloning functionality on consumer routers. The function copies attacker-controlled input into a fixed-size stack buffer without validating the length of the source data.
When an attacker submits a cloneType value exceeding the destination buffer size, the excess data overwrites adjacent stack memory. This corruption includes saved return addresses and stack frame pointers. On the AX-1806's MIPS-based architecture, the corrupted return address causes the web server process to crash when execution returns from the affected function.
The primary observed impact is service disruption rather than code execution, though stack overflows of this nature can sometimes be leveraged for further exploitation on embedded targets. Technical details are documented in the GitHub PoC Repository.
Root Cause
The root cause is missing input length validation on the cloneType HTTP parameter before it is copied into a stack-allocated buffer inside sub_65B5C. The firmware uses unsafe string handling routines that do not enforce destination buffer boundaries, allowing the overflow to occur.
Attack Vector
An attacker reaches the vulnerable function by sending a crafted HTTP request to the router's web management interface. No credentials or user interaction are required. Any host with network access to the management interface can trigger the crash, including attackers on the local network or, if remote management is enabled, the public internet.
No verified exploitation code is available beyond the proof of concept referenced in the public GitHub repository. The vulnerability mechanism is described in prose above without synthetic exploitation code.
Detection Methods for CVE-2025-70744
Indicators of Compromise
- Unexpected reboots or web management interface unavailability on Tenda AX-1806 devices
- HTTP POST requests containing abnormally long cloneType parameter values in router access logs
- Repeated crash entries or watchdog resets in router system logs following inbound HTTP traffic
- Loss of LAN or WAN connectivity correlating with inbound traffic to the router management port
Detection Strategies
- Inspect HTTP traffic destined for router management interfaces for cloneType parameter values exceeding expected MAC address length (17 characters)
- Deploy network intrusion detection signatures that flag oversized parameter values in requests to Tenda firmware endpoints
- Correlate router crash events with preceding inbound HTTP requests to identify exploitation attempts
Monitoring Recommendations
- Monitor router uptime and availability through SNMP or ICMP health checks to identify DoS conditions quickly
- Capture and review web server logs from affected Tenda devices for malformed parameter submissions
- Alert on traffic from untrusted networks targeting the router web management interface
How to Mitigate CVE-2025-70744
Immediate Actions Required
- Disable remote (WAN-side) administration on Tenda AX-1806 devices to prevent internet-based exploitation
- Restrict access to the LAN-side web management interface to trusted administrative hosts using firewall rules or VLAN segmentation
- Check Tenda's support portal for firmware updates addressing CVE-2025-70744 and apply them when released
Patch Information
At the time of NVD publication on 2026-01-15, no vendor advisory or patched firmware version has been published by Tenda for the AX-1806 v1.0.0.1. Administrators should monitor the Tenda security page for an updated firmware release addressing this issue.
Workarounds
- Block inbound HTTP and HTTPS traffic to the router's WAN interface at an upstream firewall
- Place the router behind a network segmentation boundary that restricts management plane access to a dedicated admin VLAN
- Replace end-of-support or unpatched devices with vendor-supported alternatives if no fix is released
# Example: restrict management access to a single admin host using upstream iptables
iptables -A FORWARD -p tcp -d 192.168.0.1 --dport 80 -s 192.168.0.10 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.0.1 --dport 80 -j DROP
iptables -A INPUT -i wan0 -p tcp --dport 80 -j DROP
iptables -A INPUT -i wan0 -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

