CVE-2025-63152 is a stack-based buffer overflow vulnerability identified in the Tenda AX3 router firmware version V16.03.12.10_CN. The vulnerability resides in the handling of the wpapsk_crypto parameter within the wlSetExternParameter function. This function improperly processes crafted input, leading to a stack overflow condition. Exploiting this flaw requires no authentication or user interaction and can be performed remotely over the network. The consequence of successful exploitation is a Denial of Service (DoS), where the router crashes or becomes unresponsive, disrupting network connectivity. The vulnerability is classified under CWE-121 (Stack-based Buffer Overflow), a common and critical software weakness. Although no public exploits have been reported yet, the vulnerability's characteristics—remote, unauthenticated, no user interaction—make it a significant risk. No patches or firmware updates have been released at the time of disclosure, increasing the urgency for affected users to implement interim mitigations. The CVSS v3.1 base score of 7.5 reflects the high impact on availability and ease of exploitation. This vulnerability does not affect confidentiality or integrity but can severely impact network operations reliant on the affected devices.

For European organizations, the primary impact of CVE-2025-63152 is the potential loss of network availability due to router crashes caused by the stack overflow. This can disrupt business operations, especially for small and medium enterprises (SMEs) or remote offices relying on Tenda AX3 routers for internet connectivity and internal network access. Critical services dependent on continuous network uptime, such as VoIP, cloud applications, and remote work infrastructure, may be interrupted. Although the vulnerability does not compromise data confidentiality or integrity, the resulting DoS can lead to operational downtime and potential financial losses. Additionally, repeated exploitation attempts could increase network instability and complicate incident response efforts. The lack of available patches means organizations must rely on network-level controls and monitoring to mitigate risk temporarily. The threat is more pronounced in environments where Tenda AX3 routers are widely deployed without robust network segmentation or intrusion detection capabilities.

1. Monitor Tenda’s official channels closely for firmware updates addressing CVE-2025-63152 and apply patches immediately upon release. 2. Implement network segmentation to isolate Tenda AX3 routers from critical infrastructure and sensitive systems, limiting the blast radius of a potential DoS. 3. Deploy network intrusion detection and prevention systems (IDS/IPS) capable of detecting anomalous or malformed packets targeting the wpapsk_crypto parameter or related router management interfaces. 4. Restrict remote management access to the routers by disabling WAN-side management or limiting access to trusted IP addresses only. 5. Regularly audit and inventory network devices to identify the presence of Tenda AX3 routers and assess exposure. 6. Consider temporary replacement or upgrade of vulnerable devices in high-risk environments until patches are available. 7. Educate IT staff about the vulnerability and signs of exploitation to enable rapid detection and response. 8. Employ rate limiting or firewall rules to mitigate the impact of repeated crafted requests targeting the vulnerable parameter.