cvelistv5 - cve-2025-10803

CVE-2025-10803 (GCVE-0-2025-10803)

Vulnerability from cvelistv5

Published

2025-09-22 15:02

Modified

2025-09-22 17:18

Severity ?

7.4 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RC:R
8.8 (High) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RC:R

CWE

CWE-120 - Buffer Overflow
CWE-119 - Memory Corruption

Summary

A vulnerability has been found in Tenda AC23 up to 16.03.07.52. Affected by this vulnerability is the function sscanf of the file /goform/SetPptpServerCfg of the component HTTP POST Request Handler. Such manipulation of the argument startIp leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

References

URL

Tags

cna@vuldb.com	https://github.com/lin-3-start/lin-cve/blob/main/Tenda%20AC23-3/Tenda%20AC23%20Buffer%20overflow.md	Exploit, Third Party Advisory
cna@vuldb.com	https://vuldb.com/?ctiid.325161	Permissions Required, VDB Entry
cna@vuldb.com	https://vuldb.com/?id.325161	Third Party Advisory, VDB Entry
cna@vuldb.com	https://vuldb.com/?submit.654237	Third Party Advisory, VDB Entry
cna@vuldb.com	https://www.tenda.com.cn/	Product

Impacted products

	Vendor	Product	Version
	Tenda	AC23	Version: 16.03.07.0 Version: 16.03.07.1 Version: 16.03.07.2 Version: 16.03.07.3 Version: 16.03.07.4 Version: 16.03.07.5 Version: 16.03.07.6 Version: 16.03.07.7 Version: 16.03.07.8 Version: 16.03.07.9 Version: 16.03.07.10 Version: 16.03.07.11 Version: 16.03.07.12 Version: 16.03.07.13 Version: 16.03.07.14 Version: 16.03.07.15 Version: 16.03.07.16 Version: 16.03.07.17 Version: 16.03.07.18 Version: 16.03.07.19 Version: 16.03.07.20 Version: 16.03.07.21 Version: 16.03.07.22 Version: 16.03.07.23 Version: 16.03.07.24 Version: 16.03.07.25 Version: 16.03.07.26 Version: 16.03.07.27 Version: 16.03.07.28 Version: 16.03.07.29 Version: 16.03.07.30 Version: 16.03.07.31 Version: 16.03.07.32 Version: 16.03.07.33 Version: 16.03.07.34 Version: 16.03.07.35 Version: 16.03.07.36 Version: 16.03.07.37 Version: 16.03.07.38 Version: 16.03.07.39 Version: 16.03.07.40 Version: 16.03.07.41 Version: 16.03.07.42 Version: 16.03.07.43 Version: 16.03.07.44 Version: 16.03.07.45 Version: 16.03.07.46 Version: 16.03.07.47 Version: 16.03.07.48 Version: 16.03.07.49 Version: 16.03.07.50 Version: 16.03.07.51 Version: 16.03.07.52

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-10803",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-22T17:16:33.052690Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-22T17:18:36.553Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "HTTP POST Request Handler"
          ],
          "product": "AC23",
          "vendor": "Tenda",
          "versions": [
            {
              "status": "affected",
              "version": "16.03.07.0"
            },
            {
              "status": "affected",
              "version": "16.03.07.1"
            },
            {
              "status": "affected",
              "version": "16.03.07.2"
            },
            {
              "status": "affected",
              "version": "16.03.07.3"
            },
            {
              "status": "affected",
              "version": "16.03.07.4"
            },
            {
              "status": "affected",
              "version": "16.03.07.5"
            },
            {
              "status": "affected",
              "version": "16.03.07.6"
            },
            {
              "status": "affected",
              "version": "16.03.07.7"
            },
            {
              "status": "affected",
              "version": "16.03.07.8"
            },
            {
              "status": "affected",
              "version": "16.03.07.9"
            },
            {
              "status": "affected",
              "version": "16.03.07.10"
            },
            {
              "status": "affected",
              "version": "16.03.07.11"
            },
            {
              "status": "affected",
              "version": "16.03.07.12"
            },
            {
              "status": "affected",
              "version": "16.03.07.13"
            },
            {
              "status": "affected",
              "version": "16.03.07.14"
            },
            {
              "status": "affected",
              "version": "16.03.07.15"
            },
            {
              "status": "affected",
              "version": "16.03.07.16"
            },
            {
              "status": "affected",
              "version": "16.03.07.17"
            },
            {
              "status": "affected",
              "version": "16.03.07.18"
            },
            {
              "status": "affected",
              "version": "16.03.07.19"
            },
            {
              "status": "affected",
              "version": "16.03.07.20"
            },
            {
              "status": "affected",
              "version": "16.03.07.21"
            },
            {
              "status": "affected",
              "version": "16.03.07.22"
            },
            {
              "status": "affected",
              "version": "16.03.07.23"
            },
            {
              "status": "affected",
              "version": "16.03.07.24"
            },
            {
              "status": "affected",
              "version": "16.03.07.25"
            },
            {
              "status": "affected",
              "version": "16.03.07.26"
            },
            {
              "status": "affected",
              "version": "16.03.07.27"
            },
            {
              "status": "affected",
              "version": "16.03.07.28"
            },
            {
              "status": "affected",
              "version": "16.03.07.29"
            },
            {
              "status": "affected",
              "version": "16.03.07.30"
            },
            {
              "status": "affected",
              "version": "16.03.07.31"
            },
            {
              "status": "affected",
              "version": "16.03.07.32"
            },
            {
              "status": "affected",
              "version": "16.03.07.33"
            },
            {
              "status": "affected",
              "version": "16.03.07.34"
            },
            {
              "status": "affected",
              "version": "16.03.07.35"
            },
            {
              "status": "affected",
              "version": "16.03.07.36"
            },
            {
              "status": "affected",
              "version": "16.03.07.37"
            },
            {
              "status": "affected",
              "version": "16.03.07.38"
            },
            {
              "status": "affected",
              "version": "16.03.07.39"
            },
            {
              "status": "affected",
              "version": "16.03.07.40"
            },
            {
              "status": "affected",
              "version": "16.03.07.41"
            },
            {
              "status": "affected",
              "version": "16.03.07.42"
            },
            {
              "status": "affected",
              "version": "16.03.07.43"
            },
            {
              "status": "affected",
              "version": "16.03.07.44"
            },
            {
              "status": "affected",
              "version": "16.03.07.45"
            },
            {
              "status": "affected",
              "version": "16.03.07.46"
            },
            {
              "status": "affected",
              "version": "16.03.07.47"
            },
            {
              "status": "affected",
              "version": "16.03.07.48"
            },
            {
              "status": "affected",
              "version": "16.03.07.49"
            },
            {
              "status": "affected",
              "version": "16.03.07.50"
            },
            {
              "status": "affected",
              "version": "16.03.07.51"
            },
            {
              "status": "affected",
              "version": "16.03.07.52"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "QMSSDXN (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability has been found in Tenda AC23 up to 16.03.07.52. Affected by this vulnerability is the function sscanf of the file /goform/SetPptpServerCfg of the component HTTP POST Request Handler. Such manipulation of the argument startIp leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used."
        },
        {
          "lang": "de",
          "value": "Es wurde eine Schwachstelle in Tenda AC23 up to 16.03.07.52 entdeckt. Betroffen hiervon ist die Funktion sscanf der Datei /goform/SetPptpServerCfg der Komponente HTTP POST Request Handler. Die Manipulation des Arguments startIp f\u00fchrt zu buffer overflow. Der Angriff kann remote ausgef\u00fchrt werden. Der Exploit wurde der \u00d6ffentlichkeit bekannt gemacht und k\u00f6nnte verwendet werden."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 9,
            "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-120",
              "description": "Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-119",
              "description": "Memory Corruption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-22T15:02:07.142Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-325161 | Tenda AC23 HTTP POST Request SetPptpServerCfg sscanf buffer overflow",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.325161"
        },
        {
          "name": "VDB-325161 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.325161"
        },
        {
          "name": "Submit #654237 | Tenda AC23 \u003c= V16.03.07.52 Buffer Overflow",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.654237"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/lin-3-start/lin-cve/blob/main/Tenda%20AC23-3/Tenda%20AC23%20Buffer%20overflow.md"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://www.tenda.com.cn/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-09-21T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-09-21T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-09-21T11:45:15.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Tenda AC23 HTTP POST Request SetPptpServerCfg sscanf buffer overflow"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-10803",
    "datePublished": "2025-09-22T15:02:07.142Z",
    "dateReserved": "2025-09-21T09:39:45.186Z",
    "dateUpdated": "2025-09-22T17:18:36.553Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-10803\",\"sourceIdentifier\":\"cna@vuldb.com\",\"published\":\"2025-09-22T15:15:39.670\",\"lastModified\":\"2025-09-24T20:25:18.200\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability has been found in Tenda AC23 up to 16.03.07.52. Affected by this vulnerability is the function sscanf of the file /goform/SetPptpServerCfg of the component HTTP POST Request Handler. Such manipulation of the argument startIp leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:C/I:C/A:C\",\"baseScore\":9.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":8.0,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-119\"},{\"lang\":\"en\",\"value\":\"CWE-120\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:tenda:ac23_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"16.03.07.52\",\"matchCriteriaId\":\"DA0632AC-B5A7-48E2-B20B-47345E714713\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:tenda:ac23:1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"25E2CE21-2D85-49DC-BEA2-EC4889C9F3A8\"}]}]}],\"references\":[{\"url\":\"https://github.com/lin-3-start/lin-cve/blob/main/Tenda%20AC23-3/Tenda%20AC23%20Buffer%20overflow.md\",\"source\":\"cna@vuldb.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://vuldb.com/?ctiid.325161\",\"source\":\"cna@vuldb.com\",\"tags\":[\"Permissions Required\",\"VDB Entry\"]},{\"url\":\"https://vuldb.com/?id.325161\",\"source\":\"cna@vuldb.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://vuldb.com/?submit.654237\",\"source\":\"cna@vuldb.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://www.tenda.com.cn/\",\"source\":\"cna@vuldb.com\",\"tags\":[\"Product\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-10803\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-09-22T17:16:33.052690Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-09-22T17:17:44.152Z\"}}], \"cna\": {\"title\": \"Tenda AC23 HTTP POST Request SetPptpServerCfg sscanf buffer overflow\", \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"QMSSDXN (VulDB User)\"}], \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.7, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P\"}}, {\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R\"}}, {\"cvssV3_0\": {\"version\": \"3.0\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R\"}}, {\"cvssV2_0\": {\"version\": \"2.0\", \"baseScore\": 9, \"vectorString\": \"AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR\"}}], \"affected\": [{\"vendor\": \"Tenda\", \"modules\": [\"HTTP POST Request Handler\"], \"product\": \"AC23\", \"versions\": [{\"status\": \"affected\", \"version\": \"16.03.07.0\"}, {\"status\": \"affected\", \"version\": \"16.03.07.1\"}, {\"status\": \"affected\", \"version\": \"16.03.07.2\"}, {\"status\": \"affected\", \"version\": \"16.03.07.3\"}, {\"status\": \"affected\", \"version\": \"16.03.07.4\"}, {\"status\": \"affected\", \"version\": \"16.03.07.5\"}, {\"status\": \"affected\", \"version\": \"16.03.07.6\"}, {\"status\": \"affected\", \"version\": \"16.03.07.7\"}, {\"status\": \"affected\", \"version\": \"16.03.07.8\"}, {\"status\": \"affected\", \"version\": \"16.03.07.9\"}, {\"status\": \"affected\", \"version\": \"16.03.07.10\"}, {\"status\": \"affected\", \"version\": \"16.03.07.11\"}, {\"status\": \"affected\", \"version\": \"16.03.07.12\"}, {\"status\": \"affected\", \"version\": \"16.03.07.13\"}, {\"status\": \"affected\", \"version\": \"16.03.07.14\"}, {\"status\": \"affected\", \"version\": \"16.03.07.15\"}, {\"status\": \"affected\", \"version\": \"16.03.07.16\"}, {\"status\": \"affected\", \"version\": \"16.03.07.17\"}, {\"status\": \"affected\", \"version\": \"16.03.07.18\"}, {\"status\": \"affected\", \"version\": \"16.03.07.19\"}, {\"status\": \"affected\", \"version\": \"16.03.07.20\"}, {\"status\": \"affected\", \"version\": \"16.03.07.21\"}, {\"status\": \"affected\", \"version\": \"16.03.07.22\"}, {\"status\": \"affected\", \"version\": \"16.03.07.23\"}, {\"status\": \"affected\", \"version\": \"16.03.07.24\"}, {\"status\": \"affected\", \"version\": \"16.03.07.25\"}, {\"status\": \"affected\", \"version\": \"16.03.07.26\"}, {\"status\": \"affected\", \"version\": \"16.03.07.27\"}, {\"status\": \"affected\", \"version\": \"16.03.07.28\"}, {\"status\": \"affected\", \"version\": \"16.03.07.29\"}, {\"status\": \"affected\", \"version\": \"16.03.07.30\"}, {\"status\": \"affected\", \"version\": \"16.03.07.31\"}, {\"status\": \"affected\", \"version\": \"16.03.07.32\"}, {\"status\": \"affected\", \"version\": \"16.03.07.33\"}, {\"status\": \"affected\", \"version\": \"16.03.07.34\"}, {\"status\": \"affected\", \"version\": \"16.03.07.35\"}, {\"status\": \"affected\", \"version\": \"16.03.07.36\"}, {\"status\": \"affected\", \"version\": \"16.03.07.37\"}, {\"status\": \"affected\", \"version\": \"16.03.07.38\"}, {\"status\": \"affected\", \"version\": \"16.03.07.39\"}, {\"status\": \"affected\", \"version\": \"16.03.07.40\"}, {\"status\": \"affected\", \"version\": \"16.03.07.41\"}, {\"status\": \"affected\", \"version\": \"16.03.07.42\"}, {\"status\": \"affected\", \"version\": \"16.03.07.43\"}, {\"status\": \"affected\", \"version\": \"16.03.07.44\"}, {\"status\": \"affected\", \"version\": \"16.03.07.45\"}, {\"status\": \"affected\", \"version\": \"16.03.07.46\"}, {\"status\": \"affected\", \"version\": \"16.03.07.47\"}, {\"status\": \"affected\", \"version\": \"16.03.07.48\"}, {\"status\": \"affected\", \"version\": \"16.03.07.49\"}, {\"status\": \"affected\", \"version\": \"16.03.07.50\"}, {\"status\": \"affected\", \"version\": \"16.03.07.51\"}, {\"status\": \"affected\", \"version\": \"16.03.07.52\"}]}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-09-21T00:00:00.000Z\", \"value\": \"Advisory disclosed\"}, {\"lang\": \"en\", \"time\": \"2025-09-21T02:00:00.000Z\", \"value\": \"VulDB entry created\"}, {\"lang\": \"en\", \"time\": \"2025-09-21T11:45:15.000Z\", \"value\": \"VulDB entry last update\"}], \"references\": [{\"url\": \"https://vuldb.com/?id.325161\", \"name\": \"VDB-325161 | Tenda AC23 HTTP POST Request SetPptpServerCfg sscanf buffer overflow\", \"tags\": [\"vdb-entry\", \"technical-description\"]}, {\"url\": \"https://vuldb.com/?ctiid.325161\", \"name\": \"VDB-325161 | CTI Indicators (IOB, IOC, IOA)\", \"tags\": [\"signature\", \"permissions-required\"]}, {\"url\": \"https://vuldb.com/?submit.654237\", \"name\": \"Submit #654237 | Tenda AC23 \u003c= V16.03.07.52 Buffer Overflow\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://github.com/lin-3-start/lin-cve/blob/main/Tenda%20AC23-3/Tenda%20AC23%20Buffer%20overflow.md\", \"tags\": [\"exploit\"]}, {\"url\": \"https://www.tenda.com.cn/\", \"tags\": [\"product\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability has been found in Tenda AC23 up to 16.03.07.52. Affected by this vulnerability is the function sscanf of the file /goform/SetPptpServerCfg of the component HTTP POST Request Handler. Such manipulation of the argument startIp leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.\"}, {\"lang\": \"de\", \"value\": \"Es wurde eine Schwachstelle in Tenda AC23 up to 16.03.07.52 entdeckt. Betroffen hiervon ist die Funktion sscanf der Datei /goform/SetPptpServerCfg der Komponente HTTP POST Request Handler. Die Manipulation des Arguments startIp f\\u00fchrt zu buffer overflow. Der Angriff kann remote ausgef\\u00fchrt werden. Der Exploit wurde der \\u00d6ffentlichkeit bekannt gemacht und k\\u00f6nnte verwendet werden.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-120\", \"description\": \"Buffer Overflow\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-119\", \"description\": \"Memory Corruption\"}]}], \"providerMetadata\": {\"orgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"shortName\": \"VulDB\", \"dateUpdated\": \"2025-09-22T15:02:07.142Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-10803\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-09-22T17:18:36.553Z\", \"dateReserved\": \"2025-09-21T09:39:45.186Z\", \"assignerOrgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"datePublished\": \"2025-09-22T15:02:07.142Z\", \"assignerShortName\": \"VulDB\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

cnvd-2025-24480

Vulnerability from cnvd

Title

Tenda AC23 SetPptpServerCfg文件sscanf函数缓冲区溢出漏洞

Description

Tenda AC23是腾达推出的一款双频无线路由器，支持802.11acWave2技术，双频并发传输速率可达2033Mbps，其中5GHz频段最高可达1733Mbps，适用于4K视频、在线直播等高带宽应用。 Tenda AC23存在缓冲区溢出漏洞，该漏洞源于/goform/SetPptpServerCfg文件中sscanf函数的参数startIp未能正确验证输入数据的长度大小，攻击者可利用该漏洞在系统上执行任意代码或者导致拒绝服务。

Severity

高

Formal description

目前厂商尚未发布升级程序修复该安全问题，详情见厂商官网： https://www.tenda.com.cn/

Reference

https://github.com/lin-3-start/lin-cve/blob/main/Tenda%20AC23-3/Tenda%20AC23%20Buffer%20overflow.md

Impacted products

Name
Tenda AC23 <=16.03.07.52

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-10803",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-10803"
    }
  },
  "description": "Tenda AC23\u662f\u817e\u8fbe\u63a8\u51fa\u7684\u4e00\u6b3e\u53cc\u9891\u65e0\u7ebf\u8def\u7531\u5668\uff0c\u652f\u6301802.11acWave2\u6280\u672f\uff0c\u53cc\u9891\u5e76\u53d1\u4f20\u8f93\u901f\u7387\u53ef\u8fbe2033Mbps\uff0c\u5176\u4e2d5GHz\u9891\u6bb5\u6700\u9ad8\u53ef\u8fbe1733Mbps\uff0c\u9002\u7528\u4e8e4K\u89c6\u9891\u3001\u5728\u7ebf\u76f4\u64ad\u7b49\u9ad8\u5e26\u5bbd\u5e94\u7528\u3002\n\nTenda AC23\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e/goform/SetPptpServerCfg\u6587\u4ef6\u4e2dsscanf\u51fd\u6570\u7684\u53c2\u6570startIp\u672a\u80fd\u6b63\u786e\u9a8c\u8bc1\u8f93\u5165\u6570\u636e\u7684\u957f\u5ea6\u5927\u5c0f\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u7cfb\u7edf\u4e0a\u6267\u884c\u4efb\u610f\u4ee3\u7801\u6216\u8005\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5c1a\u672a\u53d1\u5e03\u5347\u7ea7\u7a0b\u5e8f\u4fee\u590d\u8be5\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u89c1\u5382\u5546\u5b98\u7f51\uff1a\r\nhttps://www.tenda.com.cn/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-24480",
  "openTime": "2025-10-21",
  "products": {
    "product": "Tenda AC23 \u003c=16.03.07.52"
  },
  "referenceLink": "https://github.com/lin-3-start/lin-cve/blob/main/Tenda%20AC23-3/Tenda%20AC23%20Buffer%20overflow.md",
  "serverity": "\u9ad8",
  "submitTime": "2025-09-25",
  "title": "Tenda AC23 SetPptpServerCfg\u6587\u4ef6sscanf\u51fd\u6570\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e"
}

ghsa-jxff-p3fh-x5c9

Vulnerability from github

Published

2025-09-22 21:30

Modified

2025-09-22 21:30

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.4 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-10803"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-119"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-22T15:15:39Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been found in Tenda AC23 up to 16.03.07.52. Affected by this vulnerability is the function sscanf of the file /goform/SetPptpServerCfg of the component HTTP POST Request Handler. Such manipulation of the argument startIp leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-jxff-p3fh-x5c9",
  "modified": "2025-09-22T21:30:21Z",
  "published": "2025-09-22T21:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10803"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lin-3-start/lin-cve/blob/main/Tenda%20AC23-3/Tenda%20AC23%20Buffer%20overflow.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.325161"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.325161"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.654237"
    },
    {
      "type": "WEB",
      "url": "https://www.tenda.com.cn"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

fkie_cve-2025-10803

Vulnerability from fkie_nvd

Published

2025-09-22 15:15

Modified

2025-09-24 20:25

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
cna@vuldb.com	https://github.com/lin-3-start/lin-cve/blob/main/Tenda%20AC23-3/Tenda%20AC23%20Buffer%20overflow.md	Exploit, Third Party Advisory
cna@vuldb.com	https://vuldb.com/?ctiid.325161	Permissions Required, VDB Entry
cna@vuldb.com	https://vuldb.com/?id.325161	Third Party Advisory, VDB Entry
cna@vuldb.com	https://vuldb.com/?submit.654237	Third Party Advisory, VDB Entry
cna@vuldb.com	https://www.tenda.com.cn/	Product

Impacted products

	Vendor	Product	Version
	tenda	ac23_firmware	*
	tenda	ac23	1.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:tenda:ac23_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DA0632AC-B5A7-48E2-B20B-47345E714713",
              "versionEndIncluding": "16.03.07.52",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:tenda:ac23:1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "25E2CE21-2D85-49DC-BEA2-EC4889C9F3A8",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability has been found in Tenda AC23 up to 16.03.07.52. Affected by this vulnerability is the function sscanf of the file /goform/SetPptpServerCfg of the component HTTP POST Request Handler. Such manipulation of the argument startIp leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used."
    }
  ],
  "id": "CVE-2025-10803",
  "lastModified": "2025-09-24T20:25:18.200",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 9.0,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "cna@vuldb.com",
        "type": "Secondary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "cna@vuldb.com",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 7.4,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "PROOF_OF_CONCEPT",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "cna@vuldb.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-09-22T15:15:39.670",
  "references": [
    {
      "source": "cna@vuldb.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/lin-3-start/lin-cve/blob/main/Tenda%20AC23-3/Tenda%20AC23%20Buffer%20overflow.md"
    },
    {
      "source": "cna@vuldb.com",
      "tags": [
        "Permissions Required",
        "VDB Entry"
      ],
      "url": "https://vuldb.com/?ctiid.325161"
    },
    {
      "source": "cna@vuldb.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "https://vuldb.com/?id.325161"
    },
    {
      "source": "cna@vuldb.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "https://vuldb.com/?submit.654237"
    },
    {
      "source": "cna@vuldb.com",
      "tags": [
        "Product"
      ],
      "url": "https://www.tenda.com.cn/"
    }
  ],
  "sourceIdentifier": "cna@vuldb.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-119"
        },
        {
          "lang": "en",
          "value": "CWE-120"
        }
      ],
      "source": "cna@vuldb.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-10803 (GCVE-0-2025-10803)

Vulnerability from cvelistv5

cnvd-2025-24480

Vulnerability from cnvd

ghsa-jxff-p3fh-x5c9

Vulnerability from github

fkie_cve-2025-10803

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature