Product & Vulnerability Overview
The following vulnerabilities affect consumer-grade Wi-Fi 6 routers manufactured by Tenda. These devices are widely deployed in home and small-office environments and typically expose web-based management interfaces over HTTP/HTTPS.
All listed issues are stack-based buffer overflow vulnerabilities that can be exploited remotely by sending crafted requests to vulnerable HTTP endpoints. Successful exploitation can allow an unauthenticated attacker to execute arbitrary code with root privileges, fully compromising the device.
These flaws are particularly dangerous because:
- Routers often sit at the network perimeter
- Many users do not change default credentials
- Remote management is frequently enabled
- Exploitation can be automated at scale
Affected Products
- Tenda AX-1806 – Wi-Fi 6 Dual-Band Router
- Tenda AX3 – Wi-Fi 6 Home Router
High-Level Exploitation Summary
In simple terms, these routers do not properly check how much data they accept in certain web requests. An attacker can send more data than the router expects, which overwrites memory on the device. By carefully crafting this overflow, the attacker can force the router to run their own commands.
This means:
- No physical access is required
- No user interaction is required
- The attacker can take full control of the router
- Network traffic can be monitored, altered, or redirected
CVE Summary Table
| CVE ID | Product | Vulnerability Type | CVSS (Estimated) | Severity | Exploitability | Exploit Availability |
|---|---|---|---|---|---|---|
| CVE-2025-70644 | Tenda AX-1806 | Stack Overflow | 9.8 | Critical | Remote, Unauthenticated | Proof-of-concept observed |
| CVE-2025-69766 | Tenda AX3 | Stack Buffer Overflow | 9.8 | Critical | Remote, Unauthenticated | Proof-of-concept observed |
| CVE-2025-69763 | Tenda AX3 | Stack Overflow | 9.8 | Critical | Remote, Unauthenticated | Proof-of-concept observed |
| CVE-2025-69762 | Tenda AX3 | Stack Overflow | 9.8 | Critical | Remote, Unauthenticated | Proof-of-concept observed |
Severity rationale: Full device takeover, network-wide impact, no authentication required, and low attack complexity.
Technical Details by CVE
CVE-2025-70644 – Tenda AX-1806
Vulnerability Type: Stack-based buffer overflow
Attack Vector: HTTP POST request to router management endpoint
Authentication Required: No
How It Can Be Exploited
The AX-1806 firmware fails to validate input length for specific configuration parameters submitted via the web interface. An attacker can send an oversized parameter value, overwriting the stack return address.
By controlling the overwritten memory, the attacker can redirect execution flow to injected shellcode or existing system functions.
Impact
- Remote code execution as root
- Persistent malware installation
- Full interception of LAN traffic
- Use of router as part of a botnet
CVE-2025-69766 – Tenda AX3
Vulnerability Type: Stack buffer overflow
Attack Vector: Malformed HTTP request
Authentication Required: No
How It Can Be Exploited
A vulnerable request handler copies user-supplied input into a fixed-size stack buffer using unsafe string operations. When input exceeds the expected size, memory corruption occurs.
Attackers can leverage this to execute system commands or spawn a reverse shell.
CVE-2025-69763 – Tenda AX3
Vulnerability Type: Stack overflow
Attack Vector: Router configuration endpoint
Authentication Required: No
How It Can Be Exploited
This flaw exists in a separate request path from CVE-2025-69766 but results in the same outcome. The attacker sends specially crafted parameters that overwrite stack memory and hijack execution flow.
CVE-2025-69762 – Tenda AX3
Vulnerability Type: Stack overflow
Attack Vector: HTTP management service
Authentication Required: No
How It Can Be Exploited
Improper bounds checking in firmware functions handling network configuration requests allows memory corruption. Exploitation can be chained with known return-to-libc techniques to reliably gain shell access.
MITRE ATT&CK Mapping
| Tactic | Technique ID | Technique Name |
|---|---|---|
| Initial Access | T1190 | Exploit Public-Facing Application |
| Execution | T1059 | Command and Scripting Interpreter |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
| Persistence | T1547 | Boot or Logon Autostart Execution |
| Command & Control | T1071 | Application Layer Protocol |
Detection & Monitoring Guidance
Log Sources to Monitor
- Router HTTP access logs
- Embedded web server error logs
- System crash or watchdog logs
- Network IDS/IPS logs
Indicators of Exploitation
- Repeated long HTTP POST requests
- Abnormally large parameter values
- Router reboots without configuration changes
- Unexpected outbound traffic from router
- New listening services on non-standard ports
Example Detection Rules
HTTP Anomaly Detection
- Alert on POST requests exceeding normal parameter length
- Alert on repeated requests to configuration endpoints from external IPs
Network-Based Detection
- Flag outbound connections initiated by router to unknown external hosts
- Detect command-and-control style beaconing from router IP
Behavioral Indicators
- Router CPU usage spikes
- Sudden configuration resets
- DNS hijacking behavior
Payload Characteristics
While exact exploit payloads vary, they generally include:
- Padding to reach return address
- Overwritten return pointer
- Embedded shellcode or command execution chain
- Optional reverse shell instructions
Payloads are typically delivered as HTTP form parameters or JSON fields.
Proof-of-Concept Status
- Public proof-of-concept exploit code has been reported for these issues
- Exploits are suitable for automation
- Low technical skill required once exploit is weaponized
Mitigation & Remediation
Immediate Actions
- Disable remote management on WAN interfaces
- Restrict router management access to trusted IP ranges
- Monitor outbound traffic from router devices
Official Patch Information
Tenda has released firmware updates addressing these vulnerabilities.
Users should only apply firmware obtained directly from Tenda’s official support website for the specific router model and hardware revision.
Firmware updates:
- Add proper input length validation
- Replace unsafe memory functions
- Harden web management services
Business & User Impact
If exploited, these vulnerabilities can lead to:
- Complete loss of network confidentiality
- Credential theft across the LAN
- Malware propagation
- Legal and compliance exposure
Final Takeaway
These vulnerabilities represent a critical security risk and should be treated as a top-priority remediation item. Internet-exposed routers running vulnerable firmware are at high risk of automated exploitation and mass compromise.
Patch immediately. If patching is not possible, isolate or replace the affected device.
