CVE-2025-0848

Name of the Vulnerable Software and Affected Versions Tenda A18 versions up to 15.13.07.09

Description This issue affects the function SetCmdlineRun of the file /goform/SetCmdlineRun of the component HTTP POST Request Handler. The manipulation of the argument wpapsk crypto5g leads to stack-based buffer overflow. The attack may be initiated remotely.

Recommendations Tenda A18 versions up to 15.13.07.09: Update the firmware to a version later than 15.13.07.09 to resolve the issue. As a temporary workaround, consider restricting access to the /goform/SetCmdlineRun endpoint until a patch is available. Avoid using the parameter wpapsk crypto5g in the affected API endpoint until the issue is resolved.