CVE-2025-68706
Stack-Based Buffer Overflow in KuWFi AC900 GoAhead-Webs Enables Code Execution
Publication date: 2025-12-29
Last updated on: 2025-12-29
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kuwfi | 4g_lte_ac900 | 1.0.13 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stack-based buffer overflow in the GoAhead-Webs HTTP daemon on KuWFi 4G LTE AC900 devices with firmware 1.0.13. Specifically, the /goform/formMultiApnSetting handler uses sprintf() to copy a user-supplied 'pincode' parameter into a fixed 132-byte stack buffer without checking the length. This can overwrite adjacent stack memory, potentially crashing the web server or allowing an attacker to execute arbitrary code under certain conditions.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can cause the web server on the affected device to crash, leading to denial of service. Additionally, under certain conditions, the attacker may be able to execute arbitrary code on the device, which could lead to full compromise of the device, unauthorized access, or further attacks within the network.