A critical remote code execution vulnerability exists in multiple Tenda products, including the WH450 router. An unauthenticated remote attacker can exploit this flaw by sending a specially crafted request to the device's web interface, causing a buffer overflow that allows for complete system compromise. Due to the high severity (CVSS 9.8) and the public availability of an exploit, this vulnerability poses a significant and immediate risk to affected networks.

The vulnerability is a stack-based buffer overflow within the HTTP Request Handler component of the device's firmware. Specifically, the function processing requests to the /goform/wirelessRestart endpoint fails to properly validate the length of the GO argument. A remote, unauthenticated attacker can send a crafted HTTP POST request with an overly long value for the GO parameter, overflowing the stack buffer and overwriting the function's return address, which enables the execution of arbitrary code on the device with root privileges.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation would grant an attacker complete control over the affected network device. The potential consequences include interception and exfiltration of sensitive network traffic, disruption of internet connectivity, and using the compromised device as a pivot point to launch further attacks against the internal network. This could lead to significant data breaches, operational downtime, reputational damage, and the compromise of other critical systems within the organization's environment.

Immediate Action: Immediately update all affected Tenda devices to the latest firmware version provided by the vendor to patch this vulnerability. After patching, review system and access logs for any unusual activity or signs of compromise preceding the update.

Proactive Monitoring: Implement monitoring rules to detect and alert on anomalous HTTP requests to the /goform/wirelessRestart endpoint, particularly those containing an unusually long GO parameter. Monitor network traffic for unexpected outbound connections originating from the Tenda devices. Utilize network intrusion detection/prevention systems (IDS/IPS) with signatures for CVE-2025-14878.

Compensating Controls: If immediate patching is not feasible, disable remote/WAN access to the device's web administration interface to prevent remote exploitation. If the interface must be exposed, place it behind a Web Application Firewall (WAF) with rules designed to block oversized parameter values for the /goform/wirelessRestart URI. Network segmentation can also limit the potential impact by isolating the vulnerable device from critical internal assets.

Public Exploit Available: true

Given the critical severity (CVSS 9.8), the remote and unauthenticated nature of the attack, and the public availability of an exploit, this vulnerability requires immediate attention. We strongly recommend that all affected Tenda products are patched without delay. Organizations should prioritize this remediation activity as if it were on the CISA KEV list due to the high probability of active exploitation. If patching cannot be performed immediately, the compensating controls outlined above must be implemented as a matter of urgency to reduce the attack surface.