Cyber Resilience

CVE-2021-31755

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 07 May 2021

Published
07 May 2021
Modified
10 November 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9396 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-31755 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Tenda Ac11 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A stack buffer overflow vulnerability exists in Tenda AC11 wireless routers running firmware versions through 02.03.01.104_CN. The flaw is located in the /goform/setmac endpoint and is tracked as CWE-787. It carries a CVSS 3.1 base score of 9.8, reflecting network-accessible, unauthenticated attack complexity.

An unauthenticated attacker can send a crafted HTTP POST request to the affected endpoint and trigger the overflow to execute arbitrary code on the device. Successful exploitation grants full control of the router, enabling actions such as traffic interception, persistence, or lateral movement within the attached network.

The vulnerability appears in CISA's Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation. Public proof-of-concept material is available in repositories that demonstrate request construction against the setmac handler, underscoring the need for immediate firmware updates or network segmentation where patches are unavailable.

EU & UK References

Vulnerability details

An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

tenda
ac11 firmware
≤ 02.03.01.104_cn

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandatory input validation on the /goform/setmac handler would reject the oversized POST body before the stack buffer is overwritten.

prevent

Applying the vendor firmware update that corrects the CWE-787 flaw in setmac eliminates the exploitable condition entirely.

prevent

Hardware-enforced memory protections (e.g., NX, stack canaries) raise the difficulty of converting the overflow into reliable code execution.

References