CVE-2025-60341
📋 TL;DR
This vulnerability is a stack buffer overflow in Tenda AC6 V2.0 routers through the fast_setting_wifi_set function's ssid parameter. Attackers can exploit this by sending specially crafted input to cause a Denial of Service (DoS), potentially crashing the router. Users of Tenda AC6 V2.0 routers with vulnerable firmware are affected.
💻 Affected Systems
- Tenda AC6 V2.0
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete router crash requiring physical reboot, potential remote code execution if the overflow can be controlled to execute arbitrary code (though not confirmed in this CVE).
Likely Case
Router becomes unresponsive or reboots, causing temporary network disruption until manually restarted.
If Mitigated
If the router is behind a firewall with restricted WAN access, exploitation risk is limited to internal attackers or compromised internal devices.
🎯 Exploit Status
Exploitation requires authentication to the router's web interface. The PoC demonstrates triggering the overflow via authenticated POST request to /goform/fast_setting_wifi_set.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: Yes
Instructions:
1. Check Tenda's official website for firmware updates. 2. If an update is available, download the firmware file. 3. Log into the router's web interface. 4. Navigate to System Tools > Firmware Upgrade. 5. Upload and install the new firmware. 6. Wait for the router to reboot.
🔧 Temporary Workarounds
Disable Remote Management
allPrevent external access to the router's web interface by disabling remote management.
Change Default Credentials
allUse strong, unique credentials to reduce risk of unauthorized authentication.
🧯 If You Can't Patch
- Isolate the router on a separate network segment with strict firewall rules limiting access to management interfaces.
- Implement network monitoring for unusual POST requests to /goform/fast_setting_wifi_set with large ssid parameters.
🔍 How to Verify
Check if Vulnerable:
Check the router's firmware version via the web interface (typically under System Status or System Tools). If the version is 15.03.06.50 or earlier, it is likely vulnerable.Check Version:
Not applicable (web interface check required)Verify Fix Applied:
After updating firmware, verify the version has changed to a newer release than 15.03.06.50.📡 Detection & Monitoring
Log Indicators:
- Router system logs showing crashes or reboots
- Web interface logs showing POST requests to /goform/fast_setting_wifi_set with unusually long ssid parameters
Network Indicators:
- HTTP POST requests to router IP on port 80/443 targeting /goform/fast_setting_wifi_set with large payloads in ssid field
SIEM Query:
Not provided