CVE-2025-6090
BaseFortify
Publication date: 2025-06-15
Last updated on: 2025-06-16
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-6090 is a critical buffer overflow vulnerability in the H3C GR-5400AX router firmware V100R009L50. It occurs in the UpdateWanparamsMulti and UpdateIpv6params functions of the /routing/goform/aspForm file, where improper handling of the 'param' argument allows an attacker to overflow a buffer. This flaw can be exploited remotely without authentication, potentially leading to denial of service or remote command execution due to memory corruption caused by insufficient input validation. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by compromising the confidentiality, integrity, and availability of the affected router. An attacker can remotely exploit the buffer overflow to cause denial of service (DoS) or execute arbitrary commands on the device, potentially taking control of the router or disrupting network services. Since the exploit is publicly available and requires no authentication, the risk of attack is significant. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can be performed by monitoring network traffic for attempts to access the vulnerable endpoint /routing/goform/aspForm with suspicious parameters, especially those targeting functions like UpdateWanparamsMulti or UpdateIpv6params. Since the vulnerability involves buffer overflow via the 'param' argument, unusual or malformed HTTP POST requests to this endpoint may indicate exploitation attempts. Specific commands could include using network monitoring tools like tcpdump or Wireshark to filter HTTP requests to the device's IP on relevant ports (usually port 80 or 443). For example, a tcpdump command to capture such traffic could be: tcpdump -i <interface> host <router_ip> and port 80 and 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354' (to filter HTTP POST requests). Additionally, reviewing web server logs on the device for abnormal requests to /routing/goform/aspForm may help detect exploitation attempts. However, no specific detection scripts or commands are provided in the resources. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting remote access to the affected device's management interface to trusted networks only, such as via firewall rules or VPN. Since the vendor has no immediate remediation plans and no known countermeasures or patches are available, it is recommended to consider replacing the affected product with an alternative device. Monitoring for exploitation attempts and disabling remote management if possible can also reduce risk. Applying network segmentation and limiting exposure of the device to untrusted networks are advisable interim measures. [2]