CVE-2025-70252

An issue was discovered in /goform/WifiWpsStart in Tenda AC6V2.0 V15.03.06.23_multi. The index and mode are controllable. If the conditions are met to sprintf, they will be spliced into tmp. It is worth noting that there is no size check,which leads to a stack overflow vulnerability.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/akuma-QAQ/CVEreport/tree/main/D-link/CVE-2025-70252	Exploit Third Party Advisory
https://www.tenda.com.cn/material/show/2855	Product

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:tenda:ac6_firmware:15.03.06.23_multi:*:*:*:*:*:*:*

cpe:2.3:h:tenda:ac6:2.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-02 17:16

Updated : 2026-03-06 21:04

NVD link : CVE-2025-70252

Mitre link : CVE-2025-70252

CVE.ORG link : CVE-2025-70252

JSON object : View

Products Affected

tenda

ac6
ac6_firmware

CWE

CWE-121

Stack-based Buffer Overflow

{"id": "CVE-2025-70252", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-03-02T17:16:28.783", "references": [{"url": "https://github.com/akuma-QAQ/CVEreport/tree/main/D-link/CVE-2025-70252", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.tenda.com.cn/material/show/2855", "tags": ["Product"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-121"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in /goform/WifiWpsStart in Tenda AC6V2.0 V15.03.06.23_multi. The index and mode are controllable. If the conditions are met to sprintf, they will be spliced into tmp. It is worth noting that there is no size check,which leads to a stack overflow vulnerability."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en /goform/WifiWpsStart en Tenda AC6V2.0 V15.03.06.23_multi. El \u00edndice y el modo son controlables. Si se cumplen las condiciones para sprintf, se empalmar\u00e1n en tmp. Cabe destacar que no hay una comprobaci\u00f3n de tama\u00f1o, lo que lleva a una vulnerabilidad de desbordamiento de pila."}], "lastModified": "2026-03-06T21:04:07.437", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:tenda:ac6_firmware:15.03.06.23_multi:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8A103332-5CD6-4045-8DE8-1A93D8656FAC"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:tenda:ac6:2.0:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "E382AD7E-1450-40FC-AE9D-698B491805F0"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}