CVE-2025-68706

CRITICAL SEVERITY

CVSS Score & Metrics

Base Score

9.8 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H                                    

Vulnerability Description

A stack-based buffer overflow exists in the GoAhead-Webs HTTP daemon on KuWFi 4G LTE AC900 devices with firmware 1.0.13. The /goform/formMultiApnSetting handler uses sprintf() to copy the user-supplied pincode parameter into a fixed 132-byte stack buffer with no bounds checks. This allows an attacker to corrupt adjacent stack memory, crash the web server, and (under certain conditions) may enable arbitrary code execution.

Vulnerability Details

Published Date

December 29, 2025

Last Modified

January 15, 2026

CWE ID

CWE-121

Source

NVD

Vendor

kuwfi

Product

ac900_firmware

External References

https://drive.proton.me/urls/HJCJYAC7JM#XtHcm3P7QaYk
https://github.com/actuator/cve/blob/main/Kuwfi/CVE-2025-68706.txt
https://github.com/actuator/cve/tree/main/Kuwfi
https://kuwfi.com/products/kuwfi-gigabit-wireless-router-4g-lte-wifi-router-dual-band-portable-wifi-modem-hotspot-64-user-with-gigabit-wan-lan-rj11-port

CVE-2025-68706

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment