CVE-2025-63149 is a stack overflow vulnerability identified in the Tenda AX3 router firmware version V16.03.12.10_CN. The flaw exists in the get_parentControl_list_Info function, which processes the urls parameter. A crafted request with maliciously constructed input in this parameter can trigger a stack overflow, causing the device to crash or reboot, resulting in a Denial of Service (DoS). This vulnerability does not require authentication, meaning an attacker with network access to the router's management interface can exploit it remotely. The lack of a CVSS score and absence of known exploits in the wild indicate it is a recently disclosed issue. No patches or firmware updates have been officially released at the time of publication, increasing the urgency for defensive measures. The vulnerability primarily affects the availability of the device, potentially disrupting internet connectivity for users relying on the router. Since Tenda AX3 routers are commonly used in home and small office environments, exploitation could impact both individual users and small businesses. The attack vector involves sending a specially crafted HTTP request to the vulnerable function, which is likely part of the router's web management interface. Given the nature of the vulnerability, it does not appear to compromise confidentiality or integrity directly but can cause service outages. The exploitability is relatively straightforward due to the lack of authentication requirements, though it requires network access to the device. Organizations should monitor network traffic for suspicious requests targeting router management interfaces and restrict access to trusted networks only. Firmware updates from Tenda should be applied promptly once available to remediate the vulnerability.

For European organizations, the primary impact of CVE-2025-63149 is the potential for Denial of Service on Tenda AX3 routers, which could disrupt internet connectivity and internal network access. This is especially critical for small businesses and home offices relying on these routers for daily operations. Service interruptions could lead to productivity losses, communication breakdowns, and potential secondary impacts if network-dependent security systems or remote work setups are affected. While the vulnerability does not directly expose sensitive data or allow unauthorized control, the availability impact can indirectly affect confidentiality and integrity by disabling security monitoring or patch management systems. In environments where Tenda AX3 devices are used as primary gateways, the DoS could cause significant operational challenges. The lack of known exploits in the wild currently limits immediate risk, but the ease of exploitation and absence of authentication requirements mean attackers could weaponize this vulnerability quickly once exploit code becomes available. European organizations should consider the risk in their network architecture, especially where remote or unmanaged devices are deployed.

1. Immediately restrict access to the router's management interface by limiting it to trusted internal networks and disabling remote management features if not required. 2. Implement network segmentation to isolate vulnerable devices from critical infrastructure and sensitive data. 3. Monitor network traffic for unusual or malformed HTTP requests targeting the router's management interface, which could indicate exploitation attempts. 4. Deploy intrusion detection or prevention systems (IDS/IPS) with custom signatures to detect exploitation patterns related to the get_parentControl_list_Info function. 5. Educate users and administrators about the vulnerability and the importance of not exposing router management interfaces to untrusted networks. 6. Regularly check for firmware updates from Tenda and apply patches promptly once released to remediate the vulnerability. 7. Consider replacing or upgrading routers in environments where Tenda AX3 devices are widely used and cannot be adequately secured. 8. Maintain backups of router configurations to enable rapid recovery in case of device failure due to exploitation.