Tenda AC8
CVE-2025-61498
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Unauthenticated crafted packet to a network-reachable UPnP service (PR:N/AC:L) causing device crash; availability-only impact (A:H) with no C/I compromise.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
A buffer overflow in the UPnP service of Tenda AC8 Hardware v03.03.10.01 allows attackers to cause a Denial of Service (DoS) via supplying a crafted packet.
AnalysisAI
Denial of service in the Tenda AC8 dual-band gigabit router (hardware revision v03.03.10.01) allows a remote attacker to crash the device by sending a single crafted packet to its UPnP service, triggering a stack-based buffer overflow (CWE-121). The flaw requires no authentication or user interaction per the CVSS vector (PR:N/UI:N) and impacts availability only (A:H, no confidentiality/integrity impact). Publicly available exploit material exists via a researcher GitHub repository, though the issue is not listed in CISA KEV and carries a modest EPSS score of 0.39% (31st percentile).
Technical ContextAI
The affected component is the UPnP (Universal Plug and Play) daemon running on the Tenda AC8, a consumer SOHO wireless router; the CPE cpe:2.3:o:tenda:ac8_firmware:03.03.10.01 pins the vulnerable code to firmware/hardware build 03.03.10.01. UPnP is a set of networking protocols (SSDP for discovery, SOAP/HTTP for control) that lets LAN devices auto-configure port mappings; Tenda routers implement this in native C service binaries. The root cause is CWE-121 (stack-based buffer overflow): the UPnP handler copies attacker-controlled data from an incoming packet into a fixed-size stack buffer without adequate bounds checking, corrupting the stack frame. On these MIPS/ARM embedded targets such corruption typically overwrites the return address and crashes the process (or the device), consistent with the availability-only impact reported here.
RemediationAI
No vendor-released patch identified at time of analysis - the only available reference is a researcher GitHub repository (https://github.com/sakshi-garg02/CVEs/tree/main/CVE-2025-61498), not a Tenda advisory or fixed firmware version, so no exact fix version can be cited. As compensating controls: disable UPnP on the router if the feature is not needed (side effect: applications and consoles relying on automatic port-forwarding must be configured manually); ensure UPnP/SSDP (UDP 1900 and the associated SOAP control port) is not reachable from the WAN interface and is blocked at any upstream firewall (side effect: none for typical home use, since UPnP should never face the internet); and restrict LAN access to trusted devices, since exploitation requires network reachability to the UPnP service. Monitor Tenda's support site for updated AC8 firmware superseding v03.03.10.01 and apply it once released.
More in Ac8 Firmware
View allStack-based buffer overflow in the Tenda AC8V4 router (firmware V16.03.34.06) lets remote attackers corrupt memory by su
Vulnerability in Tenda AC8v4 .V16.03.34.09 due to sscanf and the last digit of s8 being overwritten with \x0. Rated crit
Tenda AC8V4 V16.03.34.06 was discovered to contain a stack overflow via the shareSpeed parameter in the sub_47D878 funct
Tenda AC8V4 V16.03.34.06 was discovered to contain a stack overflow via the urls parameter in the function get_parentCon
Tenda AC8V4 V16.03.34.06 was discovered to contain a stack overflow via the shareSpeed parameter in the sub_49E098 funct
A vulnerability was found in Tenda AC8V4 V16.03.34.06. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Tenda AC8v4 V16.03.34.06 has a stack overflow vulnerability in the fromAdvSetMacMtuWan function. Rated critical severity
A vulnerability was found in Tenda AC8 16.03.34.06_cn_TDC01. Rated critical severity (CVSS 9.8), this vulnerability is r
Tenda AC8 v4 US_AC8V4.0si_V16.03.34.06_cn was discovered to contain a stack overflow via parameter list at /goform/SetNe
Tenda AC8 v4 US_AC8V4.0si_V16.03.34.06_cn was discovered to contain a stack overflow via parameter macFilterType and par
Tenda AC8 v4 US_AC8V4.0si_V16.03.34.06_cn was discovered to contain a stack overflow via parameter timeZone at /goform/S
Tenda AC8 v4 US_AC8V4.0si_V16.03.34.06_cn was discovered to contain a stack overflow via parameter mac at /goform/GetPar
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today