CVE-2025-68706

A stack-based buffer overflow exists in the GoAhead-Webs HTTP daemon on KuWFi 4G LTE AC900 devices with firmware 1.0.13. The /goform/formMultiApnSetting handler uses sprintf() to copy the user-supplied pincode parameter into a fixed 132-byte stack buffer with no bounds checks. This allows an attacker to corrupt adjacent stack memory, crash the web server, and (under certain conditions) may enable arbitrary code execution.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://drive.proton.me/urls/HJCJYAC7JM#XtHcm3P7QaYk	Broken Link
https://github.com/actuator/cve/blob/main/Kuwfi/CVE-2025-68706.txt	Third Party Advisory
https://github.com/actuator/cve/tree/main/Kuwfi	Third Party Advisory
https://kuwfi.com/products/kuwfi-gigabit-wireless-router-4g-lte-wifi-router-dual-band-portable-wifi-modem-hotspot-64-user-with-gigabit-wan-lan-rj11-port	Product

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:kuwfi:ac900_firmware:1.0.13:*:*:*:*:*:*:*

cpe:2.3:h:kuwfi:ac900:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-12-29 19:15

Updated : 2026-01-15 02:21

NVD link : CVE-2025-68706

Mitre link : CVE-2025-68706

CVE.ORG link : CVE-2025-68706

JSON object : View

Products Affected

kuwfi

ac900
ac900_firmware

CWE

CWE-121

Stack-based Buffer Overflow

{"id": "CVE-2025-68706", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2025-12-29T19:15:57.090", "references": [{"url": "https://drive.proton.me/urls/HJCJYAC7JM#XtHcm3P7QaYk", "tags": ["Broken Link"], "source": "cve@mitre.org"}, {"url": "https://github.com/actuator/cve/blob/main/Kuwfi/CVE-2025-68706.txt", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/actuator/cve/tree/main/Kuwfi", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://kuwfi.com/products/kuwfi-gigabit-wireless-router-4g-lte-wifi-router-dual-band-portable-wifi-modem-hotspot-64-user-with-gigabit-wan-lan-rj11-port", "tags": ["Product"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-121"}]}], "descriptions": [{"lang": "en", "value": "A stack-based buffer overflow exists in the GoAhead-Webs HTTP daemon on KuWFi 4G LTE AC900 devices with firmware 1.0.13. The /goform/formMultiApnSetting handler uses sprintf() to copy the user-supplied pincode parameter into a fixed 132-byte stack buffer with no bounds checks. This allows an attacker to corrupt adjacent stack memory, crash the web server, and (under certain conditions) may enable arbitrary code execution."}], "lastModified": "2026-01-15T02:21:29.610", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:kuwfi:ac900_firmware:1.0.13:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B897FBEF-F259-4AAA-BC46-820ABD0D9605"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:kuwfi:ac900:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "2A90E0A0-E2D2-40F5-8219-8FE34A1324D9"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}