CVE-2025-65804 in AX3
Summary
by MITRE • 12/08/2025
Tenda AX3 v16.03.12.11 contains a stack overflow in formSetIptv via the iptvType parameter, which can cause memory corruption and enable remote code execution (RCE).
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 12/08/2025
The vulnerability identified as CVE-2025-65804 affects the Tenda AX3 router firmware version v16.03.12.11 and represents a critical stack overflow condition within the formSetIptv function. This flaw manifests through the iptvType parameter, which serves as an entry point for malicious input manipulation. The stack overflow vulnerability occurs when the device fails to properly validate or sanitize user-supplied data before processing it within the memory stack structure. Such memory corruption vulnerabilities are particularly dangerous as they can lead to arbitrary code execution, allowing attackers to gain unauthorized control over the affected device. The vulnerability resides in the web interface handling mechanism where the iptvType parameter is processed without adequate bounds checking or input validation, creating a pathway for exploitation.
The technical implementation of this vulnerability aligns with CWE-121, which describes stack-based buffer overflow conditions, and CWE-787, which addresses out-of-bounds write operations. Attackers can leverage this weakness by crafting malicious payloads containing oversized or malformed iptvType parameters that exceed the allocated stack buffer space. When the firmware processes this input, the excessive data overflows into adjacent memory locations, potentially corrupting critical program execution structures including return addresses, function pointers, or other control data. This memory corruption can be systematically exploited to redirect program execution flow and inject malicious code into the router's operating environment.
The operational impact of CVE-2025-65804 extends beyond simple device compromise, as it enables attackers to achieve persistent remote code execution within the network infrastructure. Once successfully exploited, an attacker gains full administrative control over the Tenda AX3 router, allowing them to modify network configurations, intercept traffic, establish backdoors, or use the device as a pivot point for further attacks within the local network. The vulnerability affects the device's web management interface, making exploitation accessible through standard network protocols without requiring physical access or specialized equipment. This characteristic significantly increases the attack surface and potential for widespread compromise across multiple network environments where affected devices are deployed.
Mitigation strategies for this vulnerability should prioritize immediate firmware updates from Tenda, as the manufacturer is expected to release patches addressing the stack overflow condition. Network administrators should implement network segmentation and access controls to limit exposure, while monitoring for suspicious traffic patterns that may indicate exploitation attempts. The ATT&CK framework categorizes this vulnerability under T1059 for command and script interpreter usage and T1071 for application layer protocols, highlighting the potential for attackers to leverage the compromised device for lateral movement and persistent access. Additionally, implementing web application firewalls and input validation controls can provide additional layers of protection against exploitation attempts, though these measures are secondary to the primary requirement of firmware updates and proper network hygiene practices.