CVE-2025-68706CRITICAL 9.8EPSS p89.6%

CVE-2025-68706CVE-2025-68706

Description

A stack-based buffer overflow exists in the GoAhead-Webs HTTP daemon on KuWFi 4G LTE AC900 devices with firmware 1.0.13. The /goform/formMultiApnSetting handler uses sprintf() to copy the user-supplied pincode parameter into a fixed 132-byte stack buffer with no bounds checks. This allows an attacker to corrupt adjacent stack memory, crash the web server, and (under certain conditions) may enable arbitrary code execution.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS4.19% probability of exploitation · percentile 89.6% · 2026-06-19T12:03:05Z
Published2025-12-29
Last modified2026-01-15

Underlying weaknesses· 1

CWE-121

References

  1. https://drive.proton.me/urls/HJCJYAC7JM#XtHcm3P7QaYk
  2. https://github.com/actuator/cve/blob/main/Kuwfi/CVE-2025-68706.txt
  3. https://github.com/actuator/cve/tree/main/Kuwfi
  4. https://kuwfi.com/products/kuwfi-gigabit-wireless-router-4g-lte-wifi-router-dual-band-portable-wifi-modem-hotspot-64-user-with-gigabit-wan-lan-rj11-port

1

TypeTargetConfidenceTier
WeaknessStack-based Buffer Overflowcwe-1210%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-43983
CVE
CVE-2025-67073
CVE
CVE-2026-0836
CVE
CVE-2025-45427
CVE
CVE-2025-7084
CVE
CVE-2026-5610
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.