CVE-2025-44900 – This vulnerability allows remote attackers to e... (How to Fix)

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Tenda RX3 routers by exploiting a stack overflow in the GetParentControlInfo function. Attackers can send specially crafted requests to the web interface, potentially gaining full control of affected devices. All users running the vulnerable firmware version are affected.

💻 Affected Systems

Products:

Tenda RX3

Versions: V1.0br_V16.03.13.11

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: The web management interface must be accessible. Remote management may be disabled by default but LAN access is always available.

📦 What is this software?

Rx3 Firmware by Tenda

View all CVEs affecting Rx3 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, credential theft, network pivoting, and persistent backdoor installation.

🟠

Likely Case

Router crash/reboot causing service disruption, or limited code execution for information disclosure.

🟢

If Mitigated

Denial of service if exploit fails or is blocked by network controls.

🌐 Internet-Facing: HIGH - Web interface is typically exposed to LAN and potentially WAN if remote management is enabled.

🏢 Internal Only: HIGH - Even internal attackers can exploit this via the LAN interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public GitHub repository contains detailed exploit information. No authentication required to trigger the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates
2. Download latest firmware for RX3
3. Access router web interface
4. Navigate to System Tools > Firmware Upgrade
5. Upload and install new firmware
6. Reboot router

🔧 Temporary Workarounds

Disable Web Management Interface

linux

Prevent access to the vulnerable endpoint by disabling the web interface

Access router CLI via telnet/SSH if available
Disable httpd service: killall httpd

Network Segmentation

all

Isolate router management interface to trusted network only

Configure firewall rules to restrict access to router IP:443/80
iptables -A INPUT -s TRUSTED_NET -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Replace affected routers with patched or different models
Implement strict network access controls to limit who can reach router management interface

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under System Status or via command: cat /proc/version

Check Version:

curl -s http://router-ip/ | grep -i version || telnet router-ip 80 (then GET /)

Verify Fix Applied:

Verify firmware version is newer than V16.03.13.11 and test if /goform/GetParentControlInfo endpoint still exists

📡 Detection & Monitoring

Log Indicators:

Multiple requests to /goform/GetParentControlInfo with long mac parameters
Router crash/reboot logs
Unusual process execution in system logs

Network Indicators:

HTTP POST requests to /goform/GetParentControlInfo with oversized mac parameter
Unusual outbound connections from router

SIEM Query:

source="router_logs" AND uri_path="/goform/GetParentControlInfo" AND (uri_query="*mac=*" AND length(uri_query)>100)

📊 Metadata

CVE ID: CVE-2025-44900

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-121

EPSS Score: 0.07% exploit probability (20.4th percentile)

Published: May 6, 2025

Last Updated: June 4, 2025

🔗 References

https://github.com/faqiadegege/IoTVuln/blob/main/tenda_Rx3_GetParentControlInfo_mac_overflow/detail.md Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-44900, you might also want to check these: