CVE-2025-12596
BaseFortify
Publication date: 2025-11-02
Last updated on: 2025-11-05
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | ac23_firmware | 16.03.07.52 |
| tenda | ac23 | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a critical buffer overflow in the Tenda AC23 router firmware version 16.03.07.52, specifically in the function saveParentControlInfo located at /goform/saveParentControlInfo. The issue arises because the function uses the unsafe sscanf function to parse the 'time' parameter from incoming requests without proper bounds checking. An attacker can supply an excessively large 'time' parameter, causing a stack buffer overflow. This overflow can lead to application crashes, memory corruption, and potentially allow arbitrary code execution on the device. The attack can be launched remotely without authentication. [1, 2, 3]
How can this vulnerability impact me? :
Exploitation of this vulnerability can result in denial of service by crashing the router's web server process, arbitrary code execution allowing an attacker to run malicious code on the device, and information leakage by exposing sensitive device memory. Since the attack requires no authentication and can be performed remotely, it poses a high risk to device availability, confidentiality, and integrity. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for abnormal POST requests to the endpoint /goform/saveParentControlInfo with an unusually large 'time' parameter. Detection can include inspecting HTTP traffic for oversized 'time' parameters or signs of application crashes related to this endpoint. A practical approach is to use network traffic capture tools like tcpdump or Wireshark to filter POST requests to /goform/saveParentControlInfo and check the size of the 'time' parameter. For example, using curl or similar tools to send crafted requests can help test if the system is vulnerable. Additionally, running static or dynamic analysis tools (SAST/DAST) on the firmware or application code can help detect unsafe sscanf usage. Example command to capture relevant traffic: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/goform/saveParentControlInfo'. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Implement input validation to restrict the size and format of the 'time' parameter to prevent buffer overflow. 2) Replace the unsafe sscanf call with safer parsing functions that enforce buffer size limits using width specifiers. 3) Apply least privilege principles to the application process to limit damage if exploited. 4) Enable compiler-level protections such as Stack Canaries, ASLR, and DEP to reduce exploitation risk. 5) If possible, update or patch the firmware to a version where this vulnerability is fixed or replace the affected device with a secure alternative. 6) Monitor and block suspicious POST requests targeting /goform/saveParentControlInfo with oversized parameters at the network perimeter. [2]