Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-70744

CVE-2025-70744: Tenda AX1806 Firmware DoS Vulnerability

CVE-2025-70744 is a stack overflow denial of service flaw in Tenda AX1806 Firmware affecting the cloneType parameter. Attackers can exploit this to crash the device. This article covers technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2025-70744 Overview

CVE-2025-70744 is a stack-based buffer overflow vulnerability affecting Tenda AX-1806 v1.0.0.1 routers. The flaw resides in the sub_65B5C function, where the cloneType parameter is processed without proper bounds checking. A remote attacker can submit a crafted HTTP request containing an oversized cloneType value to trigger the overflow. Successful exploitation causes the device to crash, resulting in a Denial of Service (DoS) condition. The vulnerability is categorized under [CWE-121] Stack-based Buffer Overflow and requires no authentication or user interaction.

Critical Impact

Unauthenticated remote attackers can crash Tenda AX-1806 routers by sending a single malformed HTTP request, disrupting network connectivity for all downstream users.

Affected Products

  • Tenda AX-1806 router (hardware)
  • Tenda AX-1806 firmware version 1.0.0.1
  • Devices exposing the vulnerable web management interface

Discovery Timeline

  • 2026-01-15 - CVE-2025-70744 published to the National Vulnerability Database (NVD)
  • 2026-01-20 - Last updated in NVD database

Technical Details for CVE-2025-70744

Vulnerability Analysis

The vulnerability exists in the sub_65B5C function within the Tenda AX-1806 firmware. This function handles request data containing the cloneType parameter, which is typically associated with MAC address cloning functionality on consumer routers. The function copies attacker-controlled input into a fixed-size stack buffer without validating the length of the source data.

When an attacker submits a cloneType value exceeding the destination buffer size, the excess data overwrites adjacent stack memory. This corruption includes saved return addresses and stack frame pointers. On the AX-1806's MIPS-based architecture, the corrupted return address causes the web server process to crash when execution returns from the affected function.

The primary observed impact is service disruption rather than code execution, though stack overflows of this nature can sometimes be leveraged for further exploitation on embedded targets. Technical details are documented in the GitHub PoC Repository.

Root Cause

The root cause is missing input length validation on the cloneType HTTP parameter before it is copied into a stack-allocated buffer inside sub_65B5C. The firmware uses unsafe string handling routines that do not enforce destination buffer boundaries, allowing the overflow to occur.

Attack Vector

An attacker reaches the vulnerable function by sending a crafted HTTP request to the router's web management interface. No credentials or user interaction are required. Any host with network access to the management interface can trigger the crash, including attackers on the local network or, if remote management is enabled, the public internet.

No verified exploitation code is available beyond the proof of concept referenced in the public GitHub repository. The vulnerability mechanism is described in prose above without synthetic exploitation code.

Detection Methods for CVE-2025-70744

Indicators of Compromise

  • Unexpected reboots or web management interface unavailability on Tenda AX-1806 devices
  • HTTP POST requests containing abnormally long cloneType parameter values in router access logs
  • Repeated crash entries or watchdog resets in router system logs following inbound HTTP traffic
  • Loss of LAN or WAN connectivity correlating with inbound traffic to the router management port

Detection Strategies

  • Inspect HTTP traffic destined for router management interfaces for cloneType parameter values exceeding expected MAC address length (17 characters)
  • Deploy network intrusion detection signatures that flag oversized parameter values in requests to Tenda firmware endpoints
  • Correlate router crash events with preceding inbound HTTP requests to identify exploitation attempts

Monitoring Recommendations

  • Monitor router uptime and availability through SNMP or ICMP health checks to identify DoS conditions quickly
  • Capture and review web server logs from affected Tenda devices for malformed parameter submissions
  • Alert on traffic from untrusted networks targeting the router web management interface

How to Mitigate CVE-2025-70744

Immediate Actions Required

  • Disable remote (WAN-side) administration on Tenda AX-1806 devices to prevent internet-based exploitation
  • Restrict access to the LAN-side web management interface to trusted administrative hosts using firewall rules or VLAN segmentation
  • Check Tenda's support portal for firmware updates addressing CVE-2025-70744 and apply them when released

Patch Information

At the time of NVD publication on 2026-01-15, no vendor advisory or patched firmware version has been published by Tenda for the AX-1806 v1.0.0.1. Administrators should monitor the Tenda security page for an updated firmware release addressing this issue.

Workarounds

  • Block inbound HTTP and HTTPS traffic to the router's WAN interface at an upstream firewall
  • Place the router behind a network segmentation boundary that restricts management plane access to a dedicated admin VLAN
  • Replace end-of-support or unpatched devices with vendor-supported alternatives if no fix is released
bash
# Example: restrict management access to a single admin host using upstream iptables
iptables -A FORWARD -p tcp -d 192.168.0.1 --dport 80 -s 192.168.0.10 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.0.1 --dport 80 -j DROP
iptables -A INPUT -i wan0 -p tcp --dport 80 -j DROP
iptables -A INPUT -i wan0 -p tcp --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.