Skip to main content

Tenda AC8 CVE-2025-61498

HIGH
Stack-based Buffer Overflow (CWE-121)
2025-10-30 cve@mitre.org
7.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Unauthenticated crafted packet to a network-reachable UPnP service (PR:N/AC:L) causing device crash; availability-only impact (A:H) with no C/I compromise.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 03:13 vuln.today

DescriptionCVE.org

A buffer overflow in the UPnP service of Tenda AC8 Hardware v03.03.10.01 allows attackers to cause a Denial of Service (DoS) via supplying a crafted packet.

AnalysisAI

Denial of service in the Tenda AC8 dual-band gigabit router (hardware revision v03.03.10.01) allows a remote attacker to crash the device by sending a single crafted packet to its UPnP service, triggering a stack-based buffer overflow (CWE-121). The flaw requires no authentication or user interaction per the CVSS vector (PR:N/UI:N) and impacts availability only (A:H, no confidentiality/integrity impact). Publicly available exploit material exists via a researcher GitHub repository, though the issue is not listed in CISA KEV and carries a modest EPSS score of 0.39% (31st percentile).

Technical ContextAI

The affected component is the UPnP (Universal Plug and Play) daemon running on the Tenda AC8, a consumer SOHO wireless router; the CPE cpe:2.3:o:tenda:ac8_firmware:03.03.10.01 pins the vulnerable code to firmware/hardware build 03.03.10.01. UPnP is a set of networking protocols (SSDP for discovery, SOAP/HTTP for control) that lets LAN devices auto-configure port mappings; Tenda routers implement this in native C service binaries. The root cause is CWE-121 (stack-based buffer overflow): the UPnP handler copies attacker-controlled data from an incoming packet into a fixed-size stack buffer without adequate bounds checking, corrupting the stack frame. On these MIPS/ARM embedded targets such corruption typically overwrites the return address and crashes the process (or the device), consistent with the availability-only impact reported here.

RemediationAI

No vendor-released patch identified at time of analysis - the only available reference is a researcher GitHub repository (https://github.com/sakshi-garg02/CVEs/tree/main/CVE-2025-61498), not a Tenda advisory or fixed firmware version, so no exact fix version can be cited. As compensating controls: disable UPnP on the router if the feature is not needed (side effect: applications and consoles relying on automatic port-forwarding must be configured manually); ensure UPnP/SSDP (UDP 1900 and the associated SOAP control port) is not reachable from the WAN interface and is blocked at any upstream firewall (side effect: none for typical home use, since UPnP should never face the internet); and restrict LAN access to trusted devices, since exploitation requires network reachability to the UPnP service. Monitor Tenda's support site for updated AC8 firmware superseding v03.03.10.01 and apply it once released.

CVE-2025-51087 HIGH POC
8.6 Jul 24

Stack-based buffer overflow in the Tenda AC8V4 router (firmware V16.03.34.06) lets remote attackers corrupt memory by su

CVE-2023-48194 CRITICAL POC
9.8 Jul 09

Vulnerability in Tenda AC8v4 .V16.03.34.09 due to sscanf and the last digit of s8 being overwritten with \x0. Rated crit

CVE-2025-25668 CRITICAL POC
9.8 Feb 20

Tenda AC8V4 V16.03.34.06 was discovered to contain a stack overflow via the shareSpeed parameter in the sub_47D878 funct

CVE-2025-25667 CRITICAL POC
9.8 Feb 20

Tenda AC8V4 V16.03.34.06 was discovered to contain a stack overflow via the urls parameter in the function get_parentCon

CVE-2025-25664 CRITICAL POC
9.8 Feb 20

Tenda AC8V4 V16.03.34.06 was discovered to contain a stack overflow via the shareSpeed parameter in the sub_49E098 funct

CVE-2025-25663 CRITICAL POC
9.8 Feb 20

A vulnerability was found in Tenda AC8V4 V16.03.34.06. Rated critical severity (CVSS 9.8), this vulnerability is remotel

CVE-2024-46652 CRITICAL POC
9.8 Sep 20

Tenda AC8v4 V16.03.34.06 has a stack overflow vulnerability in the fromAdvSetMacMtuWan function. Rated critical severity

CVE-2023-4744 CRITICAL POC
9.8 Sep 04

A vulnerability was found in Tenda AC8 16.03.34.06_cn_TDC01. Rated critical severity (CVSS 9.8), this vulnerability is r

CVE-2023-40900 CRITICAL POC
9.8 Aug 24

Tenda AC8 v4 US_AC8V4.0si_V16.03.34.06_cn was discovered to contain a stack overflow via parameter list at /goform/SetNe

CVE-2023-40899 CRITICAL POC
9.8 Aug 24

Tenda AC8 v4 US_AC8V4.0si_V16.03.34.06_cn was discovered to contain a stack overflow via parameter macFilterType and par

CVE-2023-40898 CRITICAL POC
9.8 Aug 24

Tenda AC8 v4 US_AC8V4.0si_V16.03.34.06_cn was discovered to contain a stack overflow via parameter timeZone at /goform/S

CVE-2023-40897 CRITICAL POC
9.8 Aug 24

Tenda AC8 v4 US_AC8V4.0si_V16.03.34.06_cn was discovered to contain a stack overflow via parameter mac at /goform/GetPar

Share

CVE-2025-61498 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy