CVE-2025-70252

An issue was discovered in /goform/WifiWpsStart in Tenda AC6V2.0 V15.03.06.23_multi. The index and mode are controllable. If the conditions are met to sprintf, they will be spliced into tmp. It is worth noting that there is no size check,which leads to a stack overflow vulnerability.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/akuma-QAQ/CVEreport/tree/main/D-link/CVE-2025-70252	Exploit Third Party Advisory
https://www.tenda.com.cn/material/show/2855	Product

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:tenda:ac6_firmware:15.03.06.23_multi:*:*:*:*:*:*:*

cpe:2.3:h:tenda:ac6:2.0:*:*:*:*:*:*:*

History

06 Mar 2026, 21:04

Type	Values Removed	Values Added
CPE		cpe:2.3:h:tenda:ac6:2.0:::::::* cpe:2.3:o:tenda:ac6_firmware:15.03.06.23_multi:::::::*
First Time		Tenda Tenda ac6 Firmware Tenda ac6
References	~~() https://github.com/akuma-QAQ/CVEreport/tree/main/D-link/CVE-2025-70252 -~~	() https://github.com/akuma-QAQ/CVEreport/tree/main/D-link/CVE-2025-70252 - Exploit, Third Party Advisory
References	~~() https://www.tenda.com.cn/material/show/2855 -~~	() https://www.tenda.com.cn/material/show/2855 - Product

03 Mar 2026, 20:16

Type	Values Removed	Values Added
CWE		CWE-121
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

02 Mar 2026, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-02 17:16

Updated : 2026-03-06 21:04

NVD link : CVE-2025-70252

Mitre link : CVE-2025-70252

CVE.ORG link : CVE-2025-70252

JSON object : View

Products Affected

tenda

ac6_firmware
ac6

CWE

CWE-121

Stack-based Buffer Overflow

{"id": "CVE-2025-70252", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-03-02T17:16:28.783", "references": [{"url": "https://github.com/akuma-QAQ/CVEreport/tree/main/D-link/CVE-2025-70252", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.tenda.com.cn/material/show/2855", "tags": ["Product"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-121"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in /goform/WifiWpsStart in Tenda AC6V2.0 V15.03.06.23_multi. The index and mode are controllable. If the conditions are met to sprintf, they will be spliced into tmp. It is worth noting that there is no size check,which leads to a stack overflow vulnerability."}], "lastModified": "2026-03-06T21:04:07.437", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:tenda:ac6_firmware:15.03.06.23_multi:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8A103332-5CD6-4045-8DE8-1A93D8656FAC"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:tenda:ac6:2.0:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "E382AD7E-1450-40FC-AE9D-698B491805F0"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}