A critical buffer overflow vulnerability has been identified in multiple Tenda products, assigned CVE-2025-55613 with a CVSS score of 9.8. This flaw allows an unauthenticated remote attacker to execute arbitrary code and gain complete control of an affected device by sending a specially crafted request to the MAC filtering function. Successful exploitation could lead to a full network compromise, data theft, or the device being co-opted into a botnet.

The vulnerability is a stack-based buffer overflow within the fromSafeSetMacFilter function of the device's firmware. An attacker can exploit this by sending a network request containing an overly long string in the mac parameter to the device's web management interface. The function fails to properly validate the length of this input, causing it to write past the intended buffer on the stack, which can overwrite critical data such as the function's return address. By carefully crafting the malicious input, an attacker can redirect the program's execution flow to arbitrary code, resulting in a full system compromise with the privileges of the running process, which is typically root.

This vulnerability presents a critical risk to the organization, reflected by its CVSS score of 9.8. A successful exploit grants an attacker complete control over the affected network device. This can lead to severe consequences, including the interception and theft of sensitive data passing through the network, unauthorized access to internal network segments, and the ability to launch further attacks against other systems from a trusted position within the network. Furthermore, compromised devices could be incorporated into a botnet for use in Distributed Denial-of-Service (DDoS) attacks, causing reputational damage and potential service disruption.

Immediate Action: Identify all vulnerable Tenda devices within the network and immediately apply the latest firmware updates provided by the vendor to patch this vulnerability. After patching, review device access logs for any anomalous requests or signs of compromise that may have occurred prior to the update.

Proactive Monitoring: Configure network monitoring and intrusion detection systems (IDS) to alert on unusually long or malformed requests targeting the management interfaces of Tenda devices. Specifically, monitor HTTP POST requests to the endpoint responsible for MAC filter settings for abnormally large values in the mac parameter. Review system and web server logs on the devices for repeated failed requests or error messages related to the fromSafeSetMacFilter function.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce the risk of exploitation:

• Restrict access to the device's web management interface to a dedicated, trusted administrative network or specific IP addresses.
• Ensure the management interface is not exposed to the public internet.
• If available, deploy a Web Application Firewall (WAF) in front of the device to inspect and block malicious requests containing overly long parameter values.

Public Exploit Available: false

Given the critical severity (CVSS 9.8) of this vulnerability, which allows for remote code execution, it is imperative that the organization takes immediate action. We strongly recommend prioritizing the deployment of vendor-supplied patches to all affected Tenda devices. Although there is no evidence of active exploitation at this time, the high potential for complete system compromise makes this vulnerability an attractive target for attackers. Proactive patching is the most effective defense to prevent a security breach.