Libbiosig, Tenda, SAIL, PDF XChange, Foxit vulnerabilities

Libbiosig, Tenda, SAIL, PDF XChange, Foxit vulnerabilities

/in

Libbiosig, Tenda, SAIL, PDF XChange, Foxit vulnerabilities

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed ten vulnerabilities in BioSig Libbiosig, nine in Tenda AC6 Router, eight in SAIL, two in PDF-XChange Editor, and one in a Foxit PDF Reader.

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

Libbiosig vulnerabilities

Discovered by Mark Bereza and Lilith >_> of Cisco Talos.

BioSig is an open source software library for biomedical signal processing. The aim of the BioSig project is to foster research in biomedical signal processing by providing free and open source software tools for many different application areas. BioSig for C/C++ provides command line tools for data conversion, a library to access a number of data formats (libbiosig), and some experimental code for network transfer of biosignal data.

Talos discovered ten vulnerabilities in libbiosig, affecting both version 3.9.0 of the stable release and the latest commit on the Master Branch at the time of disclosure to the vendor, grouped here by vulnerability type:

Integer overflow:

  • TALOS-2025-2231 (CVE-2025-53518) exists in the ABF parsing functionality. A specially crafted ABF file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
  • TALOS-2025-2233 (CVE-2025-52581) exists in the GDF parsing functionality. A specially crafted GDF file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

Stack-based buffer overflow:

  • TALOS-2025-2234 (CVE-2025-54480-54494) and TALOS-2025-2236 (CVE-2025-46411) exist in the MFER parsing functionality. A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

Heap-based buffer overflow:

  • TALOS-2025-2232 (CVE-2025-53853) exists in the ISHNE parsing functionality. A specially crafted ISHNE ECG annotations file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
  • TALOS-2025-2235 (CVE-2025-53557) and TALOS-2025-2237 (CVE-2025-53511) exist in the MFER parsing functionality. A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. 
  • TALOS-2025-2239 (CVE-2025-54462) exists in the Nex parsing functionality. A specially crafted .nex file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
  • TALOS-2025-2240 (CVE-2025-48005) exists in the RHS2000 parsing functionality. A specially crafted RHS2000 file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

Out-of-bounds read:

  • TALOS-2025-2238 (CVE-2025-52461) exists in the Nex parsing functionality. A specially crafted .nex file can lead to an information leak. An attacker can provide a malicious file to trigger this vulnerability.

Tenda vulnerabilities

Discovered by Lilith >_> of Cisco Talos.

The Tenda AC6 is a popular and affordable dual-band gigabit WiFi Router available online, especially on Amazon. All vulnerabilities were found in Tenda AC6 V5.0 V02.03.01.110.

TALOS-2025-2161 (CVE-2025-31355) is a firmware update vulnerability in the Firmware Signature Validation functionality of Tenda. A specially crafted malicious file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

Two unencrypted transmission of credentials vulnerabilities were found: TALOS-2025-2162 (CVE-2025-27564) exists in the web portal authentication functionality, while TALOS-2025-2167 (CVE-2025-31646) is in the Session Authentication Cookie functionality. Specially crafted network packets can lead to arbitrary authentication or authentication bypass, respectively. An attacker can sniff network traffic to trigger these vulnerabilities.

TALOS-2025-2163 (CVE-2025-24322) is an unsafe default authentication vulnerability in the Initial Setup Authentication functionality of Tenda. A specially crafted network request can lead to arbitrary code execution. An attacker can browse to the device to trigger this vulnerability.

TALOS-2025-2164 (CVE-2025-24496) is an information disclosure vulnerability in the /goform/getproductInfo functionality of Tenda. Specially crafted network packets can lead to a disclosure of sensitive information. An attacker can send packets to trigger this vulnerability.

TALOS-2025-2165 (CVE-2025-27129) is an authentication bypass vulnerability in the HTTP authentication functionality of Tenda. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can send packets to trigger this vulnerability.

TALOS-2025-2166 (CVE-2025-30256) is a denial of service vulnerability in the HTTP Header Parsing functionality of Tenda. A specially crafted series of HTTP requests can lead to a reboot. An attacker can send multiple network packets to trigger this vulnerability.

TALOS-2025-2168 (CVE-2025-32010) is a stack-based buffer overflow vulnerability in the Cloud API functionality of Tenda. A specially crafted HTTP response can lead to arbitrary code execution. An attacker can send an HTTP response to trigger this vulnerability.

TALOS-2025-2178 (CVE-2025-31143) is a cleartext transmission vulnerability that exists in the Tenda App Router Authentication functionality of Tenda. An attacker can send information gleaned from sniffing network traffic to trigger this vulnerability, which can lead to arbitrary authentication.

SAIL vulnerabilities

Discovered by a member of Cisco Talos.

SAIL is a format-agnostic image decoding library supporting all popular image formats. It provides a C/C++ API for end-users and works on Windows, macOS, and Linux platforms.

Talos found eight memory corruption vulnerabilities in SAIL Image Decoding Library v0.9.8.

TALOS-2025-2215 (CVE-2025-46407) exists in the BMPv3 Palette Decoding functionality. When loading a specially crafted .bmp file, an integer overflow can be made to occur which will cause a heap-based buffer to overflow when reading the palette from the image. These conditions can allow for remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

TALOS-2025-2216 (CVE-2025-32468) exists in the BMPv3 Image Decoding functionality. When loading a specially crafted .bmp file, an integer overflow can be made to occur when calculating the stride for decoding. Afterwards, this will cause a heap-based buffer to overflow when decoding the image which can lead to remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

TALOS-2025-2217 (CVE-2025-35984) exists in the PCX Image Decoding functionality. When decoding the image data from a specially crafted .pcx file, a heap-based buffer overflow can occur which allows for remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

TALOS-2025-2218 (CVE-2025-53510) exists in the PSD Image Decoding functionality. When loading a specially crafted .psd file, an integer overflow can be made to occur when calculating the stride for decoding. Afterwards, this will cause a heap-based buffer to overflow when decoding the image which can lead to remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

TALOS-2025-2219 (CVE-2025-53085) exists in the PSD RLE Decoding functionality. When decompressing the image data from a specially crafted .psd file, a heap-based buffer overflow can occur which allows for remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

TALOS-2025-2220 (CVE-2025-50129) exists in the PCX Image Decoding functionality. When decoding the image data from a specially crafted .tga file, a heap-based buffer overflow can occur which allows for remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

TALOS-2025-2221 (CVE-2025-52930) exists in the BMPv3 RLE Decoding functionality. When decompressing the image data from a specially crafted .bmp file, a heap-based buffer overflow can occur which allows for remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

TALOS-2025-2224 (CVE-2025-52456) exists in the WebP Image Decoding functionality. When loading a specially crafted .webp animation an integer overflow can be made to occur when calculating the stride for decoding. Afterwards, this will cause a heap-based buffer to overflow when decoding the image which can lead to remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

PDF-XChange out-of-bounds read vulnerabilities

Discovered by KPC of Cisco Talos.

PDF-XChange Editor allows the creation, editing, manipulation, and conversion of PDF files, conforming to international ISO specifications for PDF files.

TALOS-2025-2171 (CVE-2025-27931) and TALOS-2025-2203 (CVE-2025-47152) are out-of-bounds read vulnerabilities in the EMF functionality of PDF-XChange Editor version 10.5.2.395. By using a specially crafted EMF file, an attacker could exploit these vulnerabilities to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.

Foxit memory corruption vulnerability

Discovered by KPC of Cisco Talos.

Foxit PDF Reader is a popular free program for viewing, creating, and editing PDF documents. It is commonly used as an alternative to Adobe Acrobat Reader and has a widely used browser plugin available.

TALOS-2025-2202 (CVE-2025-32451) is a memory corruption vulnerability in Foxit Reader 2025.1.0.27937. A specially crafted Javascript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

Cisco Talos Blog – ​Read More