CVE-2025-44898: n/a
FW-WGS-804HPT v1.305b241111 was discovered to contain a stack overflow via the theauthName parameter in the web_aaa_loginAuthlistEdit function.
AI Analysis
Technical Summary
CVE-2025-44898 is a critical stack overflow vulnerability identified in the firmware version FW-WGS-804HPT v1.305b241111. The flaw exists in the web_aaa_loginAuthlistEdit function, specifically via the theauthName parameter. A stack overflow occurs when more data is written to a buffer located on the stack than it can hold, which can overwrite adjacent memory and lead to arbitrary code execution or system crashes. In this case, the vulnerability allows an unauthenticated attacker to remotely trigger the overflow through network access (AV:N), with no privileges required (PR:N) and no user interaction needed (UI:N). The vulnerability affects confidentiality, integrity, and availability (C:H/I:H/A:H), making it highly severe. The CVSS v3.1 base score is 9.8, indicating a critical severity level. The CWE classification is CWE-121, which corresponds to a classic stack-based buffer overflow. No patches or known exploits in the wild have been reported yet. The vulnerability likely affects devices running the specified firmware version, which appears to be a network appliance or embedded device given the firmware naming convention and the presence of a web authentication function. Exploitation could allow attackers to execute arbitrary code remotely, potentially taking full control of the device, disrupting network operations, or pivoting to internal networks.
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially for those using the affected FW-WGS-804HPT devices or similar network equipment. Successful exploitation could lead to complete compromise of the device, enabling attackers to intercept, modify, or block network traffic, disrupt critical services, or establish persistent footholds within corporate networks. This is particularly concerning for sectors with high reliance on network infrastructure such as finance, telecommunications, government, and critical infrastructure operators. The lack of authentication and user interaction requirements means attackers can exploit this remotely and autonomously, increasing the threat level. Additionally, compromised devices could be leveraged in broader attacks such as lateral movement, data exfiltration, or launching distributed denial-of-service (DDoS) attacks, amplifying the impact on European organizations' operational continuity and data security.
Mitigation Recommendations
Given the absence of an official patch at this time, European organizations should implement immediate compensating controls. These include: 1) Network segmentation to isolate vulnerable devices from critical systems and limit exposure to untrusted networks; 2) Deploy strict firewall rules and access control lists (ACLs) to restrict inbound traffic to management interfaces, especially blocking access to the web_aaa_loginAuthlistEdit function or the affected device's management ports from untrusted sources; 3) Monitor network traffic for anomalous requests targeting the theauthName parameter or unusual patterns indicative of exploitation attempts; 4) Employ intrusion detection/prevention systems (IDS/IPS) with updated signatures to detect potential exploitation attempts; 5) Conduct thorough asset inventories to identify devices running the vulnerable firmware and prioritize their remediation; 6) Engage with the device vendor or firmware provider for timely patch releases and apply updates as soon as they become available; 7) Consider temporary device replacement or disabling vulnerable services if feasible until patches are applied.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Belgium, Sweden, Finland
CVE-2025-44898: n/a
Description
FW-WGS-804HPT v1.305b241111 was discovered to contain a stack overflow via the theauthName parameter in the web_aaa_loginAuthlistEdit function.
AI-Powered Analysis
Technical Analysis
CVE-2025-44898 is a critical stack overflow vulnerability identified in the firmware version FW-WGS-804HPT v1.305b241111. The flaw exists in the web_aaa_loginAuthlistEdit function, specifically via the theauthName parameter. A stack overflow occurs when more data is written to a buffer located on the stack than it can hold, which can overwrite adjacent memory and lead to arbitrary code execution or system crashes. In this case, the vulnerability allows an unauthenticated attacker to remotely trigger the overflow through network access (AV:N), with no privileges required (PR:N) and no user interaction needed (UI:N). The vulnerability affects confidentiality, integrity, and availability (C:H/I:H/A:H), making it highly severe. The CVSS v3.1 base score is 9.8, indicating a critical severity level. The CWE classification is CWE-121, which corresponds to a classic stack-based buffer overflow. No patches or known exploits in the wild have been reported yet. The vulnerability likely affects devices running the specified firmware version, which appears to be a network appliance or embedded device given the firmware naming convention and the presence of a web authentication function. Exploitation could allow attackers to execute arbitrary code remotely, potentially taking full control of the device, disrupting network operations, or pivoting to internal networks.
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially for those using the affected FW-WGS-804HPT devices or similar network equipment. Successful exploitation could lead to complete compromise of the device, enabling attackers to intercept, modify, or block network traffic, disrupt critical services, or establish persistent footholds within corporate networks. This is particularly concerning for sectors with high reliance on network infrastructure such as finance, telecommunications, government, and critical infrastructure operators. The lack of authentication and user interaction requirements means attackers can exploit this remotely and autonomously, increasing the threat level. Additionally, compromised devices could be leveraged in broader attacks such as lateral movement, data exfiltration, or launching distributed denial-of-service (DDoS) attacks, amplifying the impact on European organizations' operational continuity and data security.
Mitigation Recommendations
Given the absence of an official patch at this time, European organizations should implement immediate compensating controls. These include: 1) Network segmentation to isolate vulnerable devices from critical systems and limit exposure to untrusted networks; 2) Deploy strict firewall rules and access control lists (ACLs) to restrict inbound traffic to management interfaces, especially blocking access to the web_aaa_loginAuthlistEdit function or the affected device's management ports from untrusted sources; 3) Monitor network traffic for anomalous requests targeting the theauthName parameter or unusual patterns indicative of exploitation attempts; 4) Employ intrusion detection/prevention systems (IDS/IPS) with updated signatures to detect potential exploitation attempts; 5) Conduct thorough asset inventories to identify devices running the vulnerable firmware and prioritize their remediation; 6) Engage with the device vendor or firmware provider for timely patch releases and apply updates as soon as they become available; 7) Consider temporary device replacement or disabling vulnerable services if feasible until patches are applied.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2025-04-22T00:00:00.000Z
- Cisa Enriched
- false
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d6c76d4f2164cc92430d3
Added to database: 5/21/2025, 6:02:30 AM
Last enriched: 7/6/2025, 5:27:34 AM
Last updated: 8/4/2025, 6:59:46 PM
Views: 14
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.