CVE-2025-71025 in AX3
Summary
by MITRE • 01/13/2026
Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow in the cloneType2 parameter of the fromAdvSetMacMtuWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/17/2026
The vulnerability identified as CVE-2025-71025 affects the Tenda AX-3 v16.03.12.10_CN router firmware, presenting a critical stack overflow condition within the web management interface. This flaw exists in the fromAdvSetMacMtuWan function where the cloneType2 parameter is processed without adequate input validation or bounds checking. The stack overflow occurs when an attacker submits a specially crafted HTTP request containing an excessively long or malformed cloneType2 value, which leads to memory corruption in the application's stack space.
The technical implementation of this vulnerability stems from improper handling of user-supplied data within the router's web server component. When the firmware processes the cloneType2 parameter, it fails to enforce length restrictions or validate the input format before passing it to memory allocation functions. This allows an attacker to overflow the stack buffer and potentially overwrite adjacent memory locations including return addresses and function pointers. The vulnerability is classified under CWE-121 Stack-based Buffer Overflow, which represents a fundamental weakness in memory management where data written to a buffer exceeds the allocated stack space.
The operational impact of this vulnerability manifests as a remote Denial of Service condition that can be exploited by any attacker with network access to the affected device. Successful exploitation does not require authentication and can be performed through a simple HTTP request containing the malicious cloneType2 parameter. The DoS effect results in the router's web management interface becoming unresponsive, requiring manual intervention or a device reboot to restore functionality. This renders the router inaccessible for configuration changes and potentially disrupts network connectivity for all devices relying on the affected gateway.
From a threat modeling perspective, this vulnerability aligns with ATT&CK technique T1210 for exploitation of remote services and T1499 for disruption of services. The attack surface is particularly concerning given that the vulnerability exists in a widely deployed consumer-grade router firmware, making it accessible to a broad range of threat actors. Network administrators should consider this vulnerability as a potential entry point for more sophisticated attacks, as the DoS condition could be used as a precursor to other exploitation attempts or as part of a larger attack campaign targeting network infrastructure.
Mitigation strategies should include immediate firmware updates from Tenda to address the stack overflow condition, along with network segmentation to limit access to the affected management interface. Administrators should implement network access controls to restrict access to the router's web management ports from untrusted networks, and consider disabling unnecessary management services when not actively needed. Additionally, monitoring network traffic for suspicious requests containing malformed cloneType2 parameters can help detect exploitation attempts, while regular firmware update policies should be established to maintain device security posture against similar vulnerabilities.