CRITICAL🇵🇱 Wersja polska

CVE-2025-57085

CVSS 9.8v3.1pub. 2025-09-09upd. 2025-09-17

Tenda W30E V16.01.0.19 (5037) was discovered to contain a stack overflow in the v17 parameter in the UploadCfg function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

🤖 AI Analysis
How it works

The vulnerability classified as CWE-121 (stack-based buffer overflow) consists in the fact that the UploadCfg function incorrectly handles the value of parameter v17 — it does not verify its length before writing it to the stack buffer. An attacker can send a specially crafted network request containing an excessively long parameter value, which leads to stack buffer overflow. The result is device instability and unavailability (DoS).

Impact

An attacker can remotely cause a device crash (DoS), resulting in interruption of its operation and loss of access to the network served by the router. Due to the CVSS vector (no required authentication, network as attack vector), the attack can be performed by any person with network access to the device.

Mitigation & patch

Apply patches available from the manufacturer according to the references. Until the update is deployed, it is recommended to restrict access to the device management interface to trusted IP addresses only and isolate the device from untrusted network segments.

Who is affected

Tenda W30E Firmware version V16.01.0.19 (5037)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Tenda W30e

    HW
    Tenda
    wszystkie wersje
  • Tenda W30e Firmware

    OS
    Tenda
    ≤ 16.01.0.19\(5037\)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
DoS
CWE
References

Related vulnerabilities

CVE-2026-38835CRITICAL9.8PL ✓ten sam produkt

Command injection w Tenda W30E via parametr usbPartitionName

CVE-2026-24429CRITICAL9.3PL ✓ten sam produkt

Tenda W30E V2 — predefiniowane domyślne hasło w firmware umożliwia nieautoryzowany dostęp

CVE-2026-24436CRITICAL9.2PL ✓ten sam produkt

Brak ograniczenia prób logowania w Tenda W30E — atak brute-force

CVE-2024-32286CRITICAL9.8PL ✓ten sam produkt

Stack overflow w Tenda W30E przez parametr 'page' w funkcji fromVirtualSer

CVE-2023-49403CRITICAL9.8PL ✓ten sam produkt

Command injection w routerze Tenda W30E poprzez funkcję setFixTools