What is the CVSS score of CVE-2025-69764?

CVE-2025-69764 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Ax3 Firmware are affected by CVE-2025-69764?

A critical remote code execution vulnerability (CVE-2025-69764) affects Tenda AX3 routers running firmware v16.03.12.11, with a CVSS score of 9.8 and active public exploits.

Is there a public PoC exploit available for CVE-2025-69764?

Yes, a public proof-of-concept exploit is available for CVE-2025-69764. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-69764?

Within 24 hours: Inventory all Tenda AX3 devices in your network and isolate affected units from production environments if operationally feasible. Within 7 days: Implement network segmentation to restrict access to vulnerable devices and deploy WAF rules to block malicious payloads targeting the formGetIptv function. Within 30 days: Replace affected Tenda AX3 units with alternative vendors or await vendor patch release; monitor Tenda security advisories daily for patch availability.

Ax3 Firmware CVE-2025-69764

CRITICAL

Stack-based Buffer Overflow (CWE-121)

2026-01-22 cve@mitre.org

RCE Buffer Overflow Memory Corruption Stack Overflow Tenda Ax3 Firmware

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Jan 26, 2026 - 20:39 vuln.today

Public exploit code

CVE Published

Jan 22, 2026 - 16:16 nvd

CRITICAL 9.8

DescriptionNVD

Tenda AX3 firmware v16.03.12.11 contains a stack-based buffer overflow in the formGetIptv function due to improper handling of the stbpvid stack buffer, which may result in memory corruption and remote code execution.

AnalysisAI

Tenda AX3 firmware has another stack-based buffer overflow in formGetIptv through a different input path, enabling remote code execution.

Technical ContextAI

Another CWE-121 stack-based buffer overflow in the formGetIptv function of Tenda AX3 firmware v16.03.12.11, exploitable through a different parameter than the previously discovered overflow (CVE-2025-69766).

RemediationAI

Update firmware. Replace Tenda AX3 if no firmware updates are available.

CVE-2025-69764 vulnerability details – vuln.today

Back

Ax3 Firmware CVE-2025-69764

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code