cbcvebase.
CVE-2025-5527
published 2025-06-03

CVE-2025-5527: A vulnerability was found in Tenda RX3 16.03.13.11_multi_TDE01. It has been rated as critical. This issue affects the function save_staticroute_data of the…

PriorityP272high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
8.04%
94.1th percentile
A vulnerability was found in Tenda RX3 16.03.13.11_multi_TDE01. It has been rated as critical. This issue affects the function save_staticroute_data of the file /goform/SetStaticRouteCfg. The manipulation of the argument list leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Affected

2 ranges
VendorProductVersion rangeFixed in
tendarx3
tendarx3_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/goform/SetStaticRouteCfg
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Tenda SetStaticRouteCfg list Parameter Buffer Overflow Attempt (CVE-2025-5527)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:25; content:"/goform/SetStaticRouteCfg"; fast_pattern; http.request_body; content:"list|3d|"; pcre:"/^[^\x26$]{100,}(?:\x26|$)/R"; reference:url,github.com/Thir0th/Thir0th-CVE/; reference:cve,2025-5527; classtype:web-application-attack; sid:2063672; rev:1; metadata:affected_product Tenda, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_07_22, cve CVE_2025_5527, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_07_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit targets HTTP POST requests to /goform/SetStaticRouteCfg with a 'list' parameter value exceeding 100 characters (stack-based buffer overflow via the 'list' argument to save_staticroute_data)
  • The URI path /goform/SetStaticRouteCfg has a fixed byte size of 25; use bsize:25 in URI matching to reduce false positives
  • Attack is plaintext (non-TLS) and should be detected at the network perimeter and internally; MITRE ATT&CK T1190 (Exploit Public-Facing Application)
  • The vulnerable function is save_staticroute_data in the file /goform/SetStaticRouteCfg on Tenda RX3 firmware version 16.03.13.11_multi_TDE01
  • ·Exploit has been publicly disclosed; affected firmware is Tenda RX3 16.03.13.11_multi_TDE01 only — verify firmware version before applying detections to avoid false positives on other Tenda models
  • ·The Snort/Suricata rule (ET sid:2063672) triggers on POST body 'list=' values ≥100 chars with no URL-encoded ampersand following; tune the pcre threshold if legitimate long list values are expected in your environment

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.