CVE-2025-1851
published 2025-03-03CVE-2025-1851: A vulnerability, which was classified as critical, was found in Tenda AC7 up to 15.03.06.44. This affects the function formSetFirewallCfg of the file…
PriorityP266high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.99%
58.1th percentile
A vulnerability, which was classified as critical, was found in Tenda AC7 up to 15.03.06.44. This affects the function formSetFirewallCfg of the file /goform/SetFirewallCfg. The manipulation of the argument firewallEn leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Affected
53 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | >= 6.15.0 < 6.17.6 | 6.17.6 |
| msrc | cbl2_vim_8.2.5064-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| msrc | cm1_vim_8.2.5064-1_on_cbl_mariner_1.0 | — | — |
| tenda | ac7 | — | — |
| tenda | ac7 | — | — |
| tenda | ac7 | — | — |
| tenda | ac7 | — | — |
| tenda | ac7 | — | — |
| tenda | ac7 | — | — |
| tenda | ac7 | — | — |
| tenda | ac7 | — | — |
| tenda | ac7 | — | — |
| tenda | ac7 | — | — |
| tenda | ac7 | — | — |
| tenda | ac7 | — | — |
| tenda | ac7 | — | — |
| tenda | ac7 | — | — |
| tenda | ac7 | — | — |
| tenda | ac7 | — | — |
| tenda | ac7 | — | — |
| tenda | ac7 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /goform/SetFirewallCfg with firewallEn= parameter value >= 100 bytes
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Tenda SetFirewallCfg firewallEn Parameter Buffer Overflow Attempt (CVE-2025-8810, CVE-2025-29358, CVE-2025-1851, CVE-2024-2809)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:22; content:"/goform/SetFirewallCfg"; fast_pattern; http.request_body; content:"firewallEn|3d|"; pcre:"/^[^&]{100,}(?:&|$)/R"; reference:cve,2025-8810; reference:url,www.cve.org/CVERecord/SearchResults?query=SetFirewallCfg; reference:cve,2025-1851; reference:cve,2025-29358; reference:url,github.com/peris-navince/founded-0-days/blob/main/Tenda/ac8/formSetFirewallCfg/1.md; reference:cve,2024-2809; classtype:web-application-attack; sid:2065155; rev:1; metadata:affected_product Tenda, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_10_10, cve CVE_2025_1851_CVE_2025_8810_CVE_2024_2809_CVE_2025_29358, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Detect HTTP POST requests to /goform/SetFirewallCfg where the firewallEn parameter value is 100 or more bytes long (URL-encoded as firewallEn=), indicative of a stack-based buffer overflow attempt.
- →The URI path /goform/SetFirewallCfg has an exact byte size of 22; use bsize matching to reduce false positives.
- →Attack is delivered over plaintext HTTP (not TLS); perimeter and internal deployment recommended.
- →Maps to MITRE ATT&CK T1190 (Exploit Public-Facing Application) under tactic TA0001 (Initial Access).
- →Public PoC/exploit disclosure exists; treat any matching traffic as high-confidence exploitation attempt.
- ·The Snort/Suricata rule (ET sid:2065155) covers multiple CVEs simultaneously (CVE-2025-8810, CVE-2025-29358, CVE-2025-1851, CVE-2024-2809); a match does not exclusively confirm CVE-2025-1851 exploitation — correlate with affected device version (Tenda AC7 up to 15.03.06.44).
- ·The vulnerability is in the formSetFirewallCfg function of /goform/SetFirewallCfg on Tenda AC7; other Tenda models (e.g., AC8) share the same endpoint and are covered by the same rule.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vendor_msrc7.8HIGH
vendor_redhat4.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
mm: don't spin in add_stack_record when gfp flags don't allow
osv·2025-12-16
CVE-2025-68253 mm: don't spin in add_stack_record when gfp flags don't allow
mm: don't spin in add_stack_record when gfp flags don't allow
In the Linux kernel, the following vulnerability has been resolved:
mm: don't spin in add_stack_record when gfp flags don't allow
syzbot was able to find the following path:
add_stack_record_to_list mm/page_owner.c:182 [inline]
inc_stack_record_count mm/page_owner.c:214 [inline]
__set_page_owner+0x2c3/0x4a0 mm/page_owner.c:333
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
alloc_pages_nolock_noprof+0x94/0x120 mm/page_alloc.c:7554
Don't spin in add_stack_record_to_list() when it is called
from *_nolock() context.
GHSA
GHSA-cwwg-82jm-w98g: A vulnerability, which was classified as critical, was found in Tenda AC7 up to 15
ghsa_unreviewed·2025-03-03
CVE-2025-1851 [HIGH] CWE-119 GHSA-cwwg-82jm-w98g: A vulnerability, which was classified as critical, was found in Tenda AC7 up to 15
A vulnerability, which was classified as critical, was found in Tenda AC7 up to 15.03.06.44. This affects the function formSetFirewallCfg of the file /goform/SetFirewallCfg. The manipulation of the argument firewallEn leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Red Hat
kernel: mm: don't spin in add_stack_record when gfp flags don't allow
vendor_redhat·2025-12-16·CVSS 4.5
CVE-2025-68253 [MEDIUM] CWE-835 kernel: mm: don't spin in add_stack_record when gfp flags don't allow
kernel: mm: don't spin in add_stack_record when gfp flags don't allow
In the Linux kernel, the following vulnerability has been resolved:
mm: don't spin in add_stack_record when gfp flags don't allow
syzbot was able to find the following path:
add_stack_record_to_list mm/page_owner.c:182 [inline]
inc_stack_record_count mm/page_owner.c:214 [inline]
__set_page_owner+0x2c3/0x4a0 mm/page_owner.c:333
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
alloc_pages_nolock_noprof+0x94/0x120 mm/page_alloc.c:7554
Don't spin in add_stack_record_to_list() when it is called
from *_nolock() context.
A potential deadlock was found in the Linux kernel's
Microsoft
Out-of-bounds Read in vim/vim
vendor_msrc·2022-05-10·CVSS 7.8
CVE-2022-1851 [HIGH] CWE-125 Out-of-bounds Read in vim/vim
Out-of-bounds Read in vim/vim
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
@huntrdev: @huntrdev
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-
Suricata
ET WEB_SPECIFIC_APPS Tenda SetFirewallCfg firewallEn Parameter Buffer Overflow Attempt (CVE-2025-8810, CVE-2025-29358, CVE-2025-1851, CVE-2024-2809)
suricata·2025-10-10·CVSS 8.8
CVE-2025-8810 [HIGH] ET WEB_SPECIFIC_APPS Tenda SetFirewallCfg firewallEn Parameter Buffer Overflow Attempt (CVE-2025-8810, CVE-2025-29358, CVE-2025-1851, CVE-2024-2809)
ET WEB_SPECIFIC_APPS Tenda SetFirewallCfg firewallEn Parameter Buffer Overflow Attempt (CVE-2025-8810, CVE-2025-29358, CVE-2025-1851, CVE-2024-2809)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Tenda SetFirewallCfg firewallEn Parameter Buffer Overflow Attempt (CVE-2025-8810, CVE-2025-29358, CVE-2025-1851, CVE-2024-2809)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:22; content:"/goform/SetFirewallCfg"; fast_pattern; http.request_body; content:"firewallEn|3d|"; pcre:"/^[^&]{100,}(?:&|$)/R"; reference:cve,2025-8810; reference:url,www.cve.org/CVERecord/SearchResults?query=SetFirewallCfg; reference:cve,2025-1851; reference:cve,2025-29358; reference:url,github.com/peris-navince/founded-0-days/blob/main/Tenda/ac8/formSetFirewallCfg/1.md; refe
No public exploits indexed.
2025-03-03
Published