CVE-2025-15233
Unknown Unknown - Not Provided
Heap-Based Buffer Overflow in Tenda M3 Remote Function

Publication date: 2025-12-30

Last updated on: 2026-02-24

Assigner: VulDB

Description
A security flaw has been discovered in Tenda M3 1.0.0.13(4903). This issue affects the function formSetAdInfoDetails of the file /goform/setAdInfoDetail. The manipulation of the argument adName/smsPassword/smsAccount/weixinAccount/weixinName/smsSignature/adRedirectUrl/adCopyRight/smsContent/adItemUID results in heap-based buffer overflow. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-30
Last Modified
2026-02-24
Generated
2026-05-07
AI Q&A
2025-12-30
EPSS Evaluated
2026-05-05
NVD
CVE-2025-15233
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tenda m3 1.0.0.13
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a heap-based buffer overflow in the Tenda M3 firmware version 1.0.0.13(4903), specifically in the function formSetAdInfoDetails of the file /goform/setAdInfoDetail. It occurs when certain arguments such as adName, smsPassword, smsAccount, weixinAccount, weixinName, smsSignature, adRedirectUrl, adCopyRight, smsContent, or adItemUID are manipulated. The flaw can be exploited remotely and the exploit code has been publicly released.


How can this vulnerability impact me? :

Exploitation of this vulnerability can lead to a heap-based buffer overflow, which may allow an attacker to execute arbitrary code remotely, potentially compromising the affected device. This can result in unauthorized access, data theft, device control, or disruption of service.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for suspicious POST requests sent to the /goform/setAdInfoDetail endpoint with crafted parameters such as adName, smsPassword, smsAccount, weixinAccount, weixinName, smsSignature, adRedirectUrl, adCopyRight, smsContent, or adItemUID that may trigger a heap-based buffer overflow. Network intrusion detection systems (NIDS) or web application firewalls (WAF) can be configured to alert on such anomalous POST requests. Specific commands are not provided in the resources, but capturing HTTP traffic with tools like tcpdump or Wireshark and filtering for POST requests to /goform/setAdInfoDetail could help detect exploitation attempts. [2, 3]


What immediate steps should I take to mitigate this vulnerability?

No known mitigations or countermeasures currently exist for this vulnerability. The recommended immediate step is to replace the affected Tenda M3 router running firmware version 1.0.0.13(4903) with a secure alternative to avoid risk. Additionally, restricting remote access to the device and monitoring for exploit attempts may help reduce exposure until replacement. [3]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart