Login Sign Up

CVE-2022-25546

7.5 HIGH
Denial of Service

📋 TL;DR

Tenda AX1806 routers running firmware v1.0.0.1 contain a stack overflow vulnerability in the formSetSysToolDDNS function. Attackers can exploit this by sending specially crafted requests to the ddnsUser parameter, causing a Denial of Service (DoS) that crashes the device. This affects all users of Tenda AX1806 routers with the vulnerable firmware version.

💻 Affected Systems

Products:
  • Tenda AX1806
Versions: v1.0.0.1
Operating Systems: Embedded Linux (router firmware)
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web management interface. The DDNS feature must be accessible, which is typically enabled by default.

📦 What is this software?

Ax1806 Firmware by Tenda

View all CVEs affecting Ax1806 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device crash requiring physical power cycle, potentially leading to extended network downtime and loss of connectivity for all connected devices.

🟠

Likely Case

Router becomes unresponsive, requiring manual reboot and causing temporary network disruption for connected users.

🟢

If Mitigated

If isolated from untrusted networks, minimal impact with only authorized users potentially triggering the vulnerability.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to the web interface, which typically requires authentication. However, if default credentials are unchanged or other vulnerabilities exist, this could be chained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Check Tenda's website for firmware updates. If an update exists, download from official sources and apply through the router's web interface under System Tools > Firmware Upgrade.

🔧 Temporary Workarounds

Disable DDNS Service

all

Turn off the Dynamic DNS feature to prevent exploitation via the vulnerable parameter.

Restrict Web Interface Access

all

Limit access to the router's web management interface to trusted IP addresses only.

🧯 If You Can't Patch

  • Isolate the router from untrusted networks and the internet if possible.
  • Change default credentials and implement strong authentication for the web interface.

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in web interface under System Tools > Firmware Upgrade. If version is exactly v1.0.0.1, the device is vulnerable.

Check Version:

No CLI command available. Must check via web interface at http://router_ip or through router's admin panel.

Verify Fix Applied:

Verify firmware version has been updated to a version later than v1.0.0.1.

📡 Detection & Monitoring

Log Indicators:

  • Router crash logs, web interface access logs showing requests to DDNS configuration endpoints with unusual payloads

Network Indicators:

  • Sudden loss of connectivity to router, HTTP requests to /goform/setSysToolDDNS with large ddnsUser parameter values

SIEM Query:

Not applicable for typical home router environments without centralized logging.

📊 Metadata

CVE ID: CVE-2022-25546
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-787
Published: March 10, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-25546, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)