CVE-2025-70753 Overview
CVE-2025-70753 is a stack-based buffer overflow in the Tenda AX-1806 wireless router running firmware version 1.0.0.1. The flaw resides in the sub_4CA50 function, which processes the security_5g parameter without validating its length before copying it onto a fixed-size stack buffer. A remote unauthenticated attacker can send a crafted HTTP request to trigger the overflow and crash the device, resulting in a Denial of Service (DoS) condition. The vulnerability is tracked under [CWE-787] Out-of-bounds Write and [CWE-121] Stack-based Buffer Overflow.
Critical Impact
Unauthenticated remote attackers can crash affected Tenda AX-1806 routers over the network, disrupting wireless connectivity for all downstream clients.
Affected Products
- Tenda AX-1806 router (hardware)
- Tenda AX-1806 firmware version 1.0.0.1
- Deployments exposing the device web management interface to untrusted networks
Discovery Timeline
- 2026-01-13 - CVE-2025-70753 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2025-70753
Vulnerability Analysis
The vulnerability exists in the sub_4CA50 function of the Tenda AX-1806 firmware HTTP request handler. The function reads the security_5g parameter from an incoming request and copies it into a local stack buffer without bounds checking. When the attacker-supplied value exceeds the buffer size, adjacent stack memory is overwritten, including saved registers and return addresses. The result is process corruption and a device crash that interrupts router operation. Because the attack requires no authentication and no user interaction, any reachable management endpoint exposes the device to remote disruption.
Root Cause
The root cause is the absence of input length validation before a memory copy operation in sub_4CA50. Standard defenses such as stack canaries, address space layout randomization, and bounds-checked string handling functions are either missing or insufficient in this firmware build. The pattern aligns with [CWE-121] Stack-based Buffer Overflow and [CWE-787] Out-of-bounds Write.
Attack Vector
The attack vector is network-based. An attacker submits a crafted HTTP POST request to the router's web interface with an oversized security_5g parameter value. Processing the request triggers the stack overflow and crashes the responsible service, taking the router offline until it is rebooted or recovers automatically. Technical details are documented in the GitHub PoC Repository.
No verified exploit code is reproduced here. Refer to the linked PoC repository for technical reproduction details.
Detection Methods for CVE-2025-70753
Indicators of Compromise
- Unexpected reboots or service restarts on Tenda AX-1806 routers
- HTTP POST requests to the router management interface containing abnormally long security_5g parameter values
- Loss of wireless connectivity correlated with inbound traffic from untrusted sources
- Repeated connection resets from the router's web management port
Detection Strategies
- Inspect HTTP traffic targeting the router web UI for oversized form parameters, particularly security_5g
- Deploy IDS/IPS signatures that flag parameter values exceeding expected lengths for Tenda router endpoints
- Correlate router uptime telemetry with network traffic to identify crash-and-reboot patterns triggered remotely
Monitoring Recommendations
- Forward router syslog and SNMP trap data to a centralized logging platform for crash and restart analysis
- Alert on management interface access from sources outside the administrative network
- Track EPSS movement for CVE-2025-70753 to prioritize remediation as exploitation likelihood changes
How to Mitigate CVE-2025-70753
Immediate Actions Required
- Restrict access to the router web management interface to trusted LAN segments only
- Disable remote (WAN-side) administration on affected Tenda AX-1806 devices
- Inventory all Tenda AX-1806 units running firmware 1.0.0.1 and place them behind network filtering
- Monitor vendor channels for a firmware update addressing the sub_4CA50 boundary check
Patch Information
No vendor advisory or patched firmware release is referenced in the NVD entry at the time of publication. Operators should monitor the Tenda support site for firmware updates that address sub_4CA50 parameter handling.
Workarounds
- Place affected routers behind a network firewall that blocks unsolicited inbound traffic to the management interface
- Apply ACLs limiting HTTP/HTTPS access to the router to a dedicated management VLAN
- Replace end-of-support consumer routers with models that receive active security maintenance where feasible
# Example: restrict router management access to a single admin host using iptables on an upstream gateway
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 -s <admin_host_ip> -j ACCEPT
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 -j DROP
iptables -A FORWARD -p tcp -d <router_ip> --dport 443 -s <admin_host_ip> -j ACCEPT
iptables -A FORWARD -p tcp -d <router_ip> --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

