Primary

Context

Tenda W30E Stack Overflow Vulnerability in werlessAdvancedSet Function Allowing Denial-of-Service

Vulnerability

Patched

A stack overflow vulnerability has been identified in the Tenda W30E router, specifically in version 16.01.0.19 (5037). The issue arises in the werlessAdvancedSet function, where the countryCode parameter is processed without proper length validation. This flaw enables remote attackers to craft HTTP POST requests that overflow a stack-based buffer, leading to a denial-of-service condition or potentially allowing remote code execution.

Impact

Exploitation of this vulnerability causes a denial-of-service condition, with the possibility of remote code execution.

Reproduction

The vulnerability can be reproduced by sending an HTTP POST request to the /goform/setAdvancedSetList endpoint with a crafted countryCode parameter that is excessively long, such as 1000 characters. This can be done using a script that automates the request, such as one written in Python using the requests library.

Added: Sep 9, 2025, 5:35 PM

Updated: Sep 9, 2025, 5:35 PM

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

2.5

exploitability

6.2

remediation

7.7

relevance

0.5

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

2.5

exploitability

6.2

remediation

7.7

relevance

0.5

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tenda W30E Stack Overflow Vulnerability in werlessAdvancedSet Function Allowing Denial-of-Service

Vulnerability

Impact

Reproduction

Affected Products

Tenda W30E

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating