Primary

Context

Tenda W30E Stack Overflow Vulnerability in formDeleteMeshNode Function Allowing Denial-of-Service

Vulnerability

Patched

A stack overflow vulnerability has been identified in the Tenda W30E router, specifically in version 16.01.0.19 (5037). The issue arises in the formDeleteMeshNode function, where user-provided String parameters are not properly validated before being processed. This flaw enables remote attackers to craft requests that overflow the stack buffer, leading to a denial-of-service condition or potentially allowing remote code execution.

Impact

Exploitation of this vulnerability causes a denial-of-service condition, with the potential for remote code execution.

Reproduction

The vulnerability can be reproduced by sending an HTTP POST request to the '/goform/deleteMesh' endpoint with a crafted 'mac' parameter that is excessively long, such as 1000 characters. This can be done using a Python script that utilizes the 'requests' library to automate the process.

Added: Sep 9, 2025, 7:18 PM

Updated: Sep 9, 2025, 7:18 PM

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

7.5

exploitability

6.2

remediation

7.7

relevance

0.5

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

7.5

exploitability

6.2

remediation

7.7

relevance

0.5

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tenda W30E Stack Overflow Vulnerability in formDeleteMeshNode Function Allowing Denial-of-Service

Vulnerability

Impact

Reproduction

Affected Products

Tenda W30E

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating