Full Report
Cisco Talos’ Vulnerability Discovery & Research team recently disclosed ten vulnerabilities in BioSig Libbiosig, nine in Tenda AC6 Router, eight in SAIL, two in PDF-XChange Editor, and one in a Foxit PDF Reader.The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in
Analysis Summary
# Vulnerability: Multiple Software Vulnerabilities Disclosed by Cisco Talos (Libbiosig, Tenda, PDF-XChange, Foxit)
## CVE Details
This roundup covers multiple CVEs that were discovered across several products. Specific severity scores and CWEs are not provided for all CVEs, but the impact is generally severe (Arbitrary Code Execution or Information Leak).
**Identified CVEs (Partial List):**
- **Libbiosig:** CVE-2025-53518, CVE-2025-52581, CVE-2025-54480 to CVE-2025-54494 (partial range), CVE-2025-46411, CVE-2025-53853, CVE-2025-53557, CVE-2025-53511, CVE-2025-54462, CVE-2025-48005, CVE-2025-52461.
- **Tenda:** CVE-2025-31355, CVE-2025-27564, CVE-2025-31646.
- **Foxit:** CVE-2025-32451.
- **PDF-XChange:** CVE-2025-27931, CVE-2025-47152.
*(Note: CVSS scores were not present in the source context for specific CVEs.)*
## Affected Systems
- **Products:** BioSig Libbiosig (C/C++ Library), Tenda AC6 Router, PDF-XChange Editor, Foxit PDF Reader.
- **Versions:**
- **Libbiosig:** Version 3.9.0 and the latest commit on the Master Branch (at time of disclosure).
- **Tenda AC6:** Version V5.0 V02.03.01.110.
- **PDF-XChange Editor:** Version 10.5.2.395.
- **Foxit Reader:** Version 2025.1.0.27937.
- **Configurations:** Not explicitly detailed, but manipulation relies on processing specially crafted files or network traffic. PDF-XChange/Foxit vulnerabilities are triggerable via opening malicious files or visiting malicious websites (if the browser plugin is enabled for Foxit).
## Vulnerability Description
**Libbiosig (Memory Safety & Integer Errors):**
Ten vulnerabilities were found across various parsing functionalities:
1. **Integer Overflows** in ABF and GDF parsing, leading to Arbitrary Code Execution (ACE).
2. **Stack-based Buffer Overflows** in MFER parsing, leading to ACE.
3. **Heap-based Buffer Overflows** in ISHNE, MFER, Nex, and RHS2000 parsing, leading to ACE.
4. **Out-of-bounds Read** in Nex parsing, leading to an information leak.
**Tenda AC6 Router (Firmware & Authentication):**
1. **Firmware Signature Validation Bypass (CVE-2025-31355):** Allows ACE via a specially crafted firmware update file.
2. **Unencrypted Transmission of Credentials (CVE-2025-27564, CVE-2025-31646):** Issues in web portal authentication and Session Authentication Cookie functionality, potentially related to sniffing or authentication bypass.
**PDF-XChange Editor (Out-of-bounds Read):**
Two flaws in the EMF parsing functionality allow an attacker to cause an out-of-bounds read by processing a malicious EMF file, potentially leading to sensitive information disclosure.
**Foxit PDF Reader (Memory Corruption):**
A memory corruption vulnerability exists in the reader, triggerable via specially crafted JavaScript code within a malicious PDF document, or potentially via a malicious website if the browser plugin is active, resulting in ACE.
## Exploitation
- **Status:** The article confirms these vulnerabilities have been patched, implying that exploit details are restricted or that exploitation was not confirmed "in the wild" at the time of disclosure before patching.
- **Complexity:**
- Libbiosig, PDF-XChange, Foxit: Likely **Medium** to **High**, as they require file processing or specific user interaction (opening file/visiting site).
- Tenda (ACE): Likely **Medium**, involving network traffic manipulation.
- **Attack Vector:** Varies: Malicious file presentation (Local/Network depending on context), Network packets (Tenda).
## Impact
- **Confidentiality:** High (Information Leak in Libbiosig OOB Read; ACE can facilitate C2/data theft).
- **Integrity:** High (Arbitrary Code Execution in many flaws allows full control over the process/device context).
- **Availability:** High (ACE can lead to service crashes or denial of control).
## Remediation
### Patches
All vendors mentioned have patched the identified issues. Users must check the respective vendor advisories for specific patch versions corresponding to the listed CVEs.
* **Libbiosig:** Patches are available in newer releases of the library (post 3.9.0 / Master Branch updates).
* **Tenda:** Patches are available for the AC6 V5.0 firmware.
* **PDF-XChange Editor & Foxit Reader:** Updates resolving versions 10.5.2.395 (PDF-XChange) and 2025.1.0.27937 (Foxit) must be applied.
### Workarounds
No specific workarounds were detailed in the summary, though general mitigation includes:
* Blocking inbound/outbound firmware updates if possible (Tenda).
* Disabling the Foxit browser plugin if the application is not updated immediately (Foxit).
* Restricting untrusted file parsing if possible (Libbiosig/PDF readers).
## Detection
- Cisco Talos recommends downloading the latest rule sets from **Snort.org** for coverage specific to the exploitation of these vulnerabilities.
- Detection should focus on:
1. Network traffic anomalies related to unencrypted credentials (Tenda).
2. File uploads or processing inputs containing malformed binary structures identified by the vulnerability classes (Integer overflow, buffer overflows, OOB reads in parsers).
## References
- Vendor advisories must be consulted for the decisive patch information.
- Latest Vulnerability Reports are posted on Talos Intelligence’s website:
- talosintelligence com/vulnerability_reports
- Snort rule sets are available at:
- snort org