CVE-2023-25216 – CVE-2023-25216 is a critical stack overflow vul... (How to Fix)

Q: What is the severity of CVE-2023-25216?

CVE-2023-25216 has a CVSS score of 9.8 (CRITICAL). CVE-2023-25216 is a critical stack overflow vulnerability in Tenda AC5 routers that allows attackers to cause denial of service or execute arbitrary code by sending a crafted payload to the formSetFirewallCfg function. This affects Tenda AC5 router users running vulnerable firmware versions. Attackers can potentially gain full control of affected devices.

📋 TL;DR

CVE-2023-25216 is a critical stack overflow vulnerability in Tenda AC5 routers that allows attackers to cause denial of service or execute arbitrary code by sending a crafted payload to the formSetFirewallCfg function. This affects Tenda AC5 router users running vulnerable firmware versions. Attackers can potentially gain full control of affected devices.

💻 Affected Systems

Products:

Tenda AC5 router

Versions: US_AC5V1.0RTL_V15.03.06.28 and likely earlier versions

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running the affected firmware version are vulnerable by default. The formSetFirewallCfg function is part of the web management interface.

📦 What is this software?

Ac5 Firmware by Tenda

View all CVEs affecting Ac5 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, persistence installation, network traffic interception, and lateral movement to other devices on the network.

🟠

Likely Case

Denial of service causing router crashes and network disruption, potentially followed by malware installation for botnet participation or credential theft.

🟢

If Mitigated

Limited to denial of service if exploit attempts are blocked at network perimeter, though internal attacks could still succeed.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, and the vulnerability can be exploited remotely without authentication.

🏢 Internal Only: HIGH - Even if not directly internet-facing, any attacker on the local network can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept code exists in GitHub repositories. The vulnerability requires no authentication and has a simple exploitation path.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Tenda website for latest firmware (version after V15.03.06.28)

Vendor Advisory: Not specified in references, check Tenda official website

Restart Required: Yes

Instructions:

1. Log into Tenda router web interface. 2. Navigate to System Tools > Firmware Upgrade. 3. Download latest firmware from Tenda website. 4. Upload and install firmware. 5. Router will reboot automatically.

🔧 Temporary Workarounds

Disable remote management

all

Prevent external access to router management interface

Log into router > Advanced > System > Remote Management > Disable

Network segmentation

all

Isolate router management interface from untrusted networks

Configure firewall rules to block external access to router web interface ports (typically 80/443)

🧯 If You Can't Patch

Replace affected routers with patched or different vendor models
Implement strict network access controls to limit who can reach router management interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in web interface: System Status > Firmware Version

Check Version:

curl -s http://router-ip/ | grep -i firmware or check web interface

Verify Fix Applied:

Verify firmware version is newer than V15.03.06.28 and test that formSetFirewallCfg endpoint handles malformed inputs properly

📡 Detection & Monitoring

Log Indicators:

Multiple failed or malformed requests to /goform/setFirewallCfg endpoint
Router crash/reboot logs
Unusual outbound connections from router

Network Indicators:

Unusual HTTP POST requests to router management interface with large payloads
Traffic patterns suggesting router compromise

SIEM Query:

source="router_logs" AND (uri="/goform/setFirewallCfg" OR message="firewall config") AND (bytes > 1000 OR status=500)

📊 Metadata

CVE ID: CVE-2023-25216

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: April 7, 2023

Last Updated: February 12, 2025

🔗 References

https://github.com/DrizzlingSun/Tenda/blob/main/AC5/9/9.md Third Party Advisory
https://github.com/DrizzlingSun/Tenda/blob/main/AC5/9/9.md Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25216, you might also want to check these: