CVE-2023-25212 – CVE-2023-25212 is a critical stack overflow vul... (How to Fix)

📋 TL;DR

CVE-2023-25212 is a critical stack overflow vulnerability in Tenda AC5 routers that allows attackers to cause denial of service or execute arbitrary code by sending a crafted payload to the fromSetWirelessRepeat function. This affects Tenda AC5 router users running vulnerable firmware versions. Attackers can potentially take full control of affected devices.

💻 Affected Systems

Products:

Tenda AC5 router

Versions: US_AC5V1.0RTL_V15.03.06.28 and likely earlier versions

Operating Systems: Embedded Linux firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the wireless repeater function. All devices running this firmware version are vulnerable by default.

📦 What is this software?

Ac5 Firmware by Tenda

View all CVEs affecting Ac5 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing persistent remote access, network traffic interception, lateral movement to internal networks, and device bricking.

🟠

Likely Case

Router crash requiring physical reset, temporary network disruption, and potential credential theft if device is internet-facing.

🟢

If Mitigated

Limited to internal network disruption if properly segmented, with no critical data exposure.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, making them directly accessible to attackers worldwide.

🏢 Internal Only: MEDIUM - Requires internal network access but could still be exploited by compromised internal devices or malicious insiders.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public GitHub repository contains detailed analysis and proof-of-concept. Exploitation requires sending crafted HTTP request to vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates
2. Download latest firmware for AC5 model
3. Access router admin interface
4. Navigate to firmware upgrade section
5. Upload and apply new firmware
6. Wait for router to reboot

🔧 Temporary Workarounds

Disable Wireless Repeater Function

all

Disable the vulnerable fromSetWirelessRepeat functionality to prevent exploitation

Access router admin interface > Wireless Settings > Disable 'Repeater' or 'WISP' mode

Network Segmentation

all

Isolate router management interface from untrusted networks

Configure firewall rules to restrict access to router admin interface (typically port 80/443)

🧯 If You Can't Patch

Replace vulnerable router with supported model from different vendor
Implement strict network access controls and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is US_AC5V1.0RTL_V15.03.06.28 or earlier, device is vulnerable.

Check Version:

Access router web interface at http://192.168.0.1 or http://192.168.1.1 and check System Status or Firmware Version page

Verify Fix Applied:

Verify firmware version has been updated to a version later than US_AC5V1.0RTL_V15.03.06.28

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP POST requests to /goform/setWirelessRepeat
Router crash/reboot logs
Multiple failed authentication attempts

Network Indicators:

Unusual outbound connections from router
Traffic patterns indicating device compromise
Port scanning originating from router

SIEM Query:

source="router_logs" AND (uri="/goform/setWirelessRepeat" OR message="stack overflow" OR message="segmentation fault")

📊 Metadata

CVE ID: CVE-2023-25212

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: April 7, 2023

Last Updated: February 13, 2025

🔗 References

https://github.com/DrizzlingSun/Tenda/blob/main/AC5/6/6.md Third Party Advisory
https://github.com/DrizzlingSun/Tenda/blob/main/AC5/6/6.md Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25212, you might also want to check these: