Multiple critical and high-severity vulnerabilities have been published affecting the Tenda WH450 router firmware (version 1.0.0.18) — a widely used consumer networking device. These flaws include stack-based buffer overflows in key HTTP CGI endpoints, enabling remote exploitation with publicly available proof-of-concept exploits.
Affected Products
- Tenda WH450 — Firmware 1.0.0.18
Individual CVE Details
CVE-2025-15160 – Stack-based Buffer Overflow in PPTPServer CGI
- Vulnerability: Stack-based buffer overflow
- Component:
/goform/PPTPServerCGI handler - Attack Vector: Remote, unauthenticated HTTP request
- Impact: Potential execution of arbitrary code, denial of service
- Exploitability: High — exploit disclosed publicly
- Severity: High
Technical Details:
The bug occurs when input passed to the ip1 parameter is processed without proper bounds checking. A crafted HTTP request to /goform/PPTPServer can overflow the stack by supplying an oversized string, leading to control of the instruction pointer. An attacker could trigger remote code execution (RCE) or crash the device.
CVE-2025-15161 – Stack-based Buffer Overflow in PPTPUserSetting
- Vulnerability: Stack-based buffer overflow
- Component:
/goform/PPTPUserSettingCGI - Attack Vector: Remote HTTP
- Impact: RCE, DoS
- Severity: High
Technical Details:
This flaw is triggered by inadequately validated input in the delno parameter. Sending an excessively long value in this parameter leads to stack memory corruption and potential arbitrary code execution.
CVE-2025-15163 – Stack-based Buffer Overflow in SafeEmailFilter CGI
- Vulnerability: Stack overflow
- Component:
/goform/SafeEmailFilter - Attack Vector: Remote HTTP
- Impact: RCE or service crash
- Severity: High
Technical Details:
The vulnerable page parameter in this CGI is processed without safe length checks. Overflowing this buffer could corrupt saved return addresses. Remote attackers can exploit this to execute arbitrary firmware code.
CVE-2025-15164 – Stack-based Buffer Overflow in SafeMacFilter CGI
- Vulnerability: Stack overflow via HTTP
- Component:
/goform/SafeMacFilter - Attack Vector: Remote
- Impact: Crash / RCE
- Severity: High
Technical Details:
Like the other CGI endpoints, lack of input validation on the page parameter opens the door for remote input to overrun local buffers, undermining system control flow.
CVE-2025-15177 – Unclassified High-Risk Vulnerability
- Reported Behavior: Vulnerability listed with high severity in third-party feeds
- Affected Product: Identifiers vary (some sources reference general web fax / privilege abuse conditions)
- Details: Not fully public or vendor-confirmed at time of writing
- Severity: High (prelim)
Technical Analysis
Root Cause
All confirmed CVEs on Tenda WH450 stem from improper input validation in web-exposed CGI handlers. Specifically:
- Missing bounds checks on parameters (
delno,ip1,page) - Functions assume input within expected size, leading to stack buffer overflows
- Resulting control hijack opportunities for attackers
This class of bug maps to CWE-121 and CWE-120 (stack overflows and unsafe buffer operations) — classic but severe software engineering oversights.
Exploit and Proof-of-Concept
Public exploit code has been posted against the affected CGI endpoints, allowing:
- Remote buffer overflow triggering via crafted HTTP POST/GET
- Potential shell injection or firmware takeover
- Unauthenticated attackers on the same network or WAN
Important: Running exploits against live infrastructure without consent is illegal and unethical.
Detection & Mitigation
Detection
Monitor for anomalous HTTP requests matching:
POST /goform/PPTPServer HTTP/1.1
User-Agent: BadBot
Content-Length: ...
<oversized payload>Also watch for application crashes or resets in the router logs.
Mitigation:
Vendor patch required: User must update Tenda WH450 firmware as soon as a vendor patch becomes available. Until then:
- Disable remote management of web interface.
- Restrict access (ACLs) to trusted networks.
- Network segmentation — isolate router config interface.
- Monitor traffic for unusual CGI hits or buffer overflow signatures.
Conclusion
Multiple critical vulnerabilities affecting the Tenda WH450 router’s web management interface have been made public, all resulting from stack buffer overflows in CGI endpoints. These flaws allow remote unauthenticated attackers to potentially execute code or crash the device.
Action items for administrators:
- Check Tenda support for updated firmware
- Harden management interfaces
- Block WAN-side access to device web UI
Staying ahead of these bugs protects not only your network perimeter but also prevents attackers from pivoting to internal systems.
