Login Sign Up

CVE-2023-25210

9.8 CRITICAL
Remote Code Execution Denial of Service

📋 TL;DR

CVE-2023-25210 is a critical stack overflow vulnerability in Tenda AC5 routers that allows attackers to cause denial of service or execute arbitrary code by sending crafted payloads to the fromSetSysTime function. This affects all users running vulnerable firmware versions of Tenda AC5 routers. Attackers can potentially gain full control of affected devices.

💻 Affected Systems

Products:
  • Tenda AC5 router
Versions: US_AC5V1.0RTL_V15.03.06.28 and likely earlier versions
Operating Systems: Embedded Linux firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web management interface. All devices running vulnerable firmware are affected regardless of configuration.

📦 What is this software?

Ac5 Firmware by Tenda

View all CVEs affecting Ac5 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, persistence installation, network pivoting, and data exfiltration

🟠

Likely Case

Denial of service causing router crashes and network disruption, potentially followed by malware deployment

🟢

If Mitigated

Limited impact with proper network segmentation and firewall rules blocking external access to management interfaces

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices with management interfaces exposed
🏢 Internal Only: MEDIUM - Internal attackers could exploit if they gain network access

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept available on GitHub. Exploitation requires sending crafted HTTP requests to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Tenda website for latest firmware

Vendor Advisory: Not publicly available

Restart Required: Yes

Instructions:

1. Visit Tenda support website 2. Download latest firmware for AC5 3. Log into router admin panel 4. Navigate to System Tools > Firmware Upgrade 5. Upload and install new firmware 6. Reboot router

🔧 Temporary Workarounds

Disable remote management

all

Prevent external access to router management interface

Network segmentation

all

Isolate router management interface to trusted network segment

🧯 If You Can't Patch

  • Replace affected devices with patched or alternative models
  • Implement strict firewall rules blocking all external access to router management interfaces

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin panel under System Status or System Tools

Check Version:

Login to router web interface and check System Status page

Verify Fix Applied:

Verify firmware version is newer than US_AC5V1.0RTL_V15.03.06.28

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed HTTP requests to /goform/setSysTime
  • Router crash/reboot logs
  • Unusual process execution

Network Indicators:

  • HTTP POST requests to /goform/setSysTime with large payloads
  • Unusual traffic to router management port

SIEM Query:

source="router_logs" AND (uri_path="/goform/setSysTime" OR event="crash" OR event="reboot")

📊 Metadata

CVE ID: CVE-2023-25210
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: April 7, 2023
Last Updated: February 13, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25210, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)