CVE-2025-63149 is a stack-based buffer overflow vulnerability identified in the Tenda AX3 router firmware version V16.03.12.10_CN. The vulnerability resides in the get_parentControl_list_Info function, which processes the 'urls' parameter. Due to insufficient bounds checking, an attacker can send a crafted request containing an overly long or malformed 'urls' parameter, triggering a stack overflow. This overflow can overwrite the stack, leading to a crash of the router’s firmware process and causing a Denial of Service (DoS) by making the device unresponsive or rebooting it. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network. The CVSS 3.1 base score is 7.5, indicating high severity primarily due to the impact on availability (A:H), with no impact on confidentiality or integrity. The attack vector is network (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The vulnerability is classified under CWE-121 (Stack-based Buffer Overflow). As of the publication date, no patches or known exploits are publicly available. The lack of a patch means affected devices remain vulnerable, posing a risk especially in environments where these routers are deployed without adequate network protections. The Tenda AX3 is a popular consumer-grade Wi-Fi 6 router, often used in small office/home office (SOHO) settings, which may be part of European organizational networks, particularly in SMEs.

The primary impact of CVE-2025-63149 is on the availability of network infrastructure relying on the Tenda AX3 router. Exploitation results in a Denial of Service, potentially causing network outages or degraded connectivity for users dependent on the affected device. For European organizations, especially small and medium enterprises (SMEs) and home office workers using these routers, this could disrupt business operations, remote work, and communications. The vulnerability does not compromise confidentiality or integrity directly, but the loss of network availability can have cascading effects on productivity and service delivery. Additionally, repeated exploitation attempts could lead to increased operational costs due to troubleshooting and device replacement. In critical infrastructure or sectors with high reliance on continuous connectivity, such as finance, healthcare, or government services, the impact could be more severe. The absence of known exploits in the wild currently reduces immediate risk, but the ease of exploitation and lack of authentication requirements mean attackers could develop exploits rapidly once the vulnerability is widely known.

1. Immediately restrict access to the router’s management interfaces (web UI, SSH, Telnet) to trusted internal networks or VPNs to prevent unauthorized remote exploitation. 2. Implement network segmentation to isolate vulnerable routers from critical systems and sensitive data. 3. Monitor network traffic for unusual or malformed requests targeting the get_parentControl_list_Info function or the 'urls' parameter, using intrusion detection systems (IDS) or firewall logs. 4. Disable or limit parental control features if not required, as the vulnerability is in the parent control list function. 5. Regularly check for firmware updates from Tenda and apply patches promptly once available. 6. Consider replacing vulnerable Tenda AX3 routers with devices from vendors with a stronger security track record if patching is delayed. 7. Educate IT staff and users about the risks of using default or outdated router firmware and the importance of network hygiene. 8. Employ network-level DoS protection mechanisms to mitigate potential denial of service impacts. These steps go beyond generic advice by focusing on network access controls, feature-specific mitigations, and proactive monitoring tailored to this vulnerability’s characteristics.