CVE-2025-10838
Published: 23 September 2025
Summary
CVE-2025-10838 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac21 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 enforces validation of the wpapsk_crypto argument in the /goform/WifiExtraSet CGI script to prevent buffer overflow from malformed inputs.
SI-2 requires identification, reporting, and correction of the buffer overflow flaw in Tenda AC21 firmware version 16.03.08.16.
SI-16 implements memory protections such as address space layout randomization and stack guards to mitigate exploitation of the buffer overflow vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in the public-facing web management interface (/goform/WifiExtraSet) of Tenda AC21 router enables remote exploitation for initial access.
NVD Description
A vulnerability was identified in Tenda AC21 16.03.08.16. The affected element is the function sub_45BB10 of the file /goform/WifiExtraSet. The manipulation of the argument wpapsk_crypto leads to buffer overflow. It is possible to initiate the attack remotely. The exploit is…
more
publicly available and might be used.
Deeper analysisAI
CVE-2025-10838 is a buffer overflow vulnerability (CWE-119, CWE-120) affecting Tenda AC21 router firmware version 16.03.08.16. The flaw exists in the sub_45BB10 function within the /goform/WifiExtraSet CGI script, where manipulation of the wpapsk_crypto argument triggers the overflow. Published on 2025-09-23, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), marking it as high severity.
Remote attackers with low privileges, such as authenticated users, can exploit this vulnerability over the network with low complexity and no user interaction. Successful exploitation enables high-impact consequences, including unauthorized access to sensitive data (C:H), modification of system integrity (I:H), and denial of service or code execution (A:H), potentially resulting in full router compromise. A proof-of-concept exploit is publicly available.
Advisories referenced on VulDB (ctiid.325200, id.325200, submit.657126) and a GitHub repository detail the vulnerability, including a POC demonstrating the buffer overflow. No specific patches or mitigation steps are outlined in the provided disclosures.
Details
- CWE(s)