CVE-2025-10120
Published: 09 September 2025
Summary
CVE-2025-10120 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac20 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely remediation of identified flaws like the buffer overflow in Tenda AC20 firmware via patching or upgrades to prevent exploitation.
Requires validation and sanitization of inputs such as the 'mac' argument to /goform/GetParentControlInfo to prevent buffer overflows from oversized or malformed data.
Implements memory safeguards like non-executable stacks or address space randomization to block arbitrary code execution from the buffer overflow vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in unauthenticated remote web endpoint (/goform/GetParentControlInfo) enables remote code execution on public-facing router, facilitating T1190: Exploit Public-Facing Application.
NVD Description
A vulnerability was detected in Tenda AC20 up to 16.03.08.12. The impacted element is the function strcpy of the file /goform/GetParentControlInfo. The manipulation of the argument mac results in buffer overflow. The attack may be performed from remote. The exploit…
more
is now public and may be used.
Deeper analysisAI
CVE-2025-10120 is a buffer overflow vulnerability in Tenda AC20 routers running firmware versions up to 16.03.08.12. The issue resides in the strcpy function within the /goform/GetParentControlInfo file, where manipulation of the "mac" argument triggers the overflow. Associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input), it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity.
Remote attackers with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows attackers to achieve high impacts on confidentiality, integrity, and availability, potentially leading to arbitrary code execution or system compromise on the affected router.
VulDB advisories (ctiid.323089, id.323089) document the issue, while a public proof-of-concept exploit is available on GitHub at cymiao1978/cve/blob/main/4.md and its #poc section. No vendor patches or specific mitigations are detailed in the provided references; security practitioners should monitor for firmware updates from Tenda.
The exploit is public and available for use, as noted in the CVE description published on 2025-09-09.
Details
- CWE(s)