CVE-2025-5527
published 2025-06-03CVE-2025-5527: A vulnerability was found in Tenda RX3 16.03.13.11_multi_TDE01. It has been rated as critical. This issue affects the function save_staticroute_data of the…
PriorityP272high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
8.04%
94.1th percentile
A vulnerability was found in Tenda RX3 16.03.13.11_multi_TDE01. It has been rated as critical. This issue affects the function save_staticroute_data of the file /goform/SetStaticRouteCfg. The manipulation of the argument list leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tenda | rx3 | — | — |
| tenda | rx3_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Tenda SetStaticRouteCfg list Parameter Buffer Overflow Attempt (CVE-2025-5527)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:25; content:"/goform/SetStaticRouteCfg"; fast_pattern; http.request_body; content:"list|3d|"; pcre:"/^[^\x26$]{100,}(?:\x26|$)/R"; reference:url,github.com/Thir0th/Thir0th-CVE/; reference:cve,2025-5527; classtype:web-application-attack; sid:2063672; rev:1; metadata:affected_product Tenda, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_07_22, cve CVE_2025_5527, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_07_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Exploit targets HTTP POST requests to /goform/SetStaticRouteCfg with a 'list' parameter value exceeding 100 characters (stack-based buffer overflow via the 'list' argument to save_staticroute_data)
- →The URI path /goform/SetStaticRouteCfg has a fixed byte size of 25; use bsize:25 in URI matching to reduce false positives
- →Attack is plaintext (non-TLS) and should be detected at the network perimeter and internally; MITRE ATT&CK T1190 (Exploit Public-Facing Application)
- →The vulnerable function is save_staticroute_data in the file /goform/SetStaticRouteCfg on Tenda RX3 firmware version 16.03.13.11_multi_TDE01
- ·Exploit has been publicly disclosed; affected firmware is Tenda RX3 16.03.13.11_multi_TDE01 only — verify firmware version before applying detections to avoid false positives on other Tenda models ↗
- ·The Snort/Suricata rule (ET sid:2063672) triggers on POST body 'list=' values ≥100 chars with no URL-encoded ampersand following; tune the pcre threshold if legitimate long list values are expected in your environment
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Tenda SetStaticRouteCfg list Parameter Buffer Overflow Attempt (CVE-2025-5527)
suricata·2025-07-22·CVSS 8.7
CVE-2025-5527 [HIGH] ET WEB_SPECIFIC_APPS Tenda SetStaticRouteCfg list Parameter Buffer Overflow Attempt (CVE-2025-5527)
ET WEB_SPECIFIC_APPS Tenda SetStaticRouteCfg list Parameter Buffer Overflow Attempt (CVE-2025-5527)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Tenda SetStaticRouteCfg list Parameter Buffer Overflow Attempt (CVE-2025-5527)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:25; content:"/goform/SetStaticRouteCfg"; fast_pattern; http.request_body; content:"list|3d|"; pcre:"/^[^\x26$]{100,}(?:\x26|$)/R"; reference:url,github.com/Thir0th/Thir0th-CVE/; reference:cve,2025-5527; classtype:web-application-attack; sid:2063672; rev:1; metadata:affected_product Tenda, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_07_22, cve CVE_2025_5527, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, sig
No public exploits indexed.
No writeups or analysis indexed.
2025-06-03
Published