Security Advisory: Multiple High-Severity Vulnerabilities in Tenda WH450 Router

CyberDefender 6 mins0

Multiple critical and high-severity vulnerabilities have been published affecting the Tenda WH450 router firmware (version 1.0.0.18) — a widely used consumer networking device. These flaws include stack-based buffer overflows in key HTTP CGI endpoints, enabling remote exploitation with publicly available proof-of-concept exploits.

Affected Products

  • Tenda WH450 — Firmware 1.0.0.18

Individual CVE Details

CVE-2025-15160Stack-based Buffer Overflow in PPTPServer CGI

  • Vulnerability: Stack-based buffer overflow
  • Component: /goform/PPTPServer CGI handler
  • Attack Vector: Remote, unauthenticated HTTP request
  • Impact: Potential execution of arbitrary code, denial of service
  • Exploitability: High — exploit disclosed publicly
  • Severity: High

Technical Details:
The bug occurs when input passed to the ip1 parameter is processed without proper bounds checking. A crafted HTTP request to /goform/PPTPServer can overflow the stack by supplying an oversized string, leading to control of the instruction pointer. An attacker could trigger remote code execution (RCE) or crash the device.

CVE-2025-15161Stack-based Buffer Overflow in PPTPUserSetting

  • Vulnerability: Stack-based buffer overflow
  • Component: /goform/PPTPUserSetting CGI
  • Attack Vector: Remote HTTP
  • Impact: RCE, DoS
  • Severity: High

Technical Details:
This flaw is triggered by inadequately validated input in the delno parameter. Sending an excessively long value in this parameter leads to stack memory corruption and potential arbitrary code execution.

CVE-2025-15163Stack-based Buffer Overflow in SafeEmailFilter CGI

  • Vulnerability: Stack overflow
  • Component: /goform/SafeEmailFilter
  • Attack Vector: Remote HTTP
  • Impact: RCE or service crash
  • Severity: High

Technical Details:
The vulnerable page parameter in this CGI is processed without safe length checks. Overflowing this buffer could corrupt saved return addresses. Remote attackers can exploit this to execute arbitrary firmware code.

CVE-2025-15164Stack-based Buffer Overflow in SafeMacFilter CGI

  • Vulnerability: Stack overflow via HTTP
  • Component: /goform/SafeMacFilter
  • Attack Vector: Remote
  • Impact: Crash / RCE
  • Severity: High

Technical Details:
Like the other CGI endpoints, lack of input validation on the page parameter opens the door for remote input to overrun local buffers, undermining system control flow.

CVE-2025-15177Unclassified High-Risk Vulnerability

  • Reported Behavior: Vulnerability listed with high severity in third-party feeds
  • Affected Product: Identifiers vary (some sources reference general web fax / privilege abuse conditions)
  • Details: Not fully public or vendor-confirmed at time of writing
  • Severity: High (prelim)

Technical Analysis

Root Cause

All confirmed CVEs on Tenda WH450 stem from improper input validation in web-exposed CGI handlers. Specifically:

  • Missing bounds checks on parameters (delno, ip1, page)
  • Functions assume input within expected size, leading to stack buffer overflows
  • Resulting control hijack opportunities for attackers

This class of bug maps to CWE-121 and CWE-120 (stack overflows and unsafe buffer operations) — classic but severe software engineering oversights.

Exploit and Proof-of-Concept

Public exploit code has been posted against the affected CGI endpoints, allowing:

  • Remote buffer overflow triggering via crafted HTTP POST/GET
  • Potential shell injection or firmware takeover
  • Unauthenticated attackers on the same network or WAN

Important: Running exploits against live infrastructure without consent is illegal and unethical.

Detection & Mitigation

Detection

Monitor for anomalous HTTP requests matching:

POST /goform/PPTPServer HTTP/1.1
User-Agent: BadBot
Content-Length:  ...
<oversized payload>

Also watch for application crashes or resets in the router logs.

Mitigation:

Vendor patch required: User must update Tenda WH450 firmware as soon as a vendor patch becomes available. Until then:

  1. Disable remote management of web interface.
  2. Restrict access (ACLs) to trusted networks.
  3. Network segmentation — isolate router config interface.
  4. Monitor traffic for unusual CGI hits or buffer overflow signatures.

Conclusion

Multiple critical vulnerabilities affecting the Tenda WH450 router’s web management interface have been made public, all resulting from stack buffer overflows in CGI endpoints. These flaws allow remote unauthenticated attackers to potentially execute code or crash the device.

Action items for administrators:

  • Check Tenda support for updated firmware
  • Harden management interfaces
  • Block WAN-side access to device web UI

Staying ahead of these bugs protects not only your network perimeter but also prevents attackers from pivoting to internal systems.

CyberDefender