Cyber Posture

CVE-2025-11091

HighPublic PoC

Published: 28 September 2025

Published
28 September 2025
Modified
03 October 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0026 49.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11091 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac21 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely application of firmware patches to remediate the buffer overflow vulnerability in the Tenda AC21's SetStaticRouteCfg CGI endpoint.

SI-10 Information Input Validation good match
prevent

Mandates validation of inputs to the sscanf function in /goform/SetStaticRouteCfg to block malformed argument lists that trigger the buffer overflow.

SI-16 Memory Protection good match
prevent

Implements memory protections such as stack guards or ASLR to mitigate exploitation of the buffer overflow leading to arbitrary code execution.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Buffer overflow in public CGI endpoint (/goform/SetStaticRouteCfg) on network device directly enables remote code execution via exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A security flaw has been discovered in Tenda AC21 up to 16.03.08.16. Affected by this vulnerability is the function sscanf of the file /goform/SetStaticRouteCfg. The manipulation of the argument list results in buffer overflow. The attack can be launched remotely.…

more

The exploit has been released to the public and may be exploited.

Deeper analysisAI

CVE-2025-11091 is a buffer overflow vulnerability in Tenda AC21 routers running firmware versions up to 16.03.08.16. The issue affects the sscanf function within the /goform/SetStaticRouteCfg CGI endpoint, where manipulation of the argument list triggers the overflow. This flaw, linked to CWE-119 and CWE-120, was published on 2025-09-28 and carries a CVSS v3.1 base score of 8.8.

The vulnerability enables remote exploitation by attackers with low privileges (PR:L), requiring low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), potentially leading to arbitrary code execution on the device.

Advisories and details are available via VulDB entries (ctiid.326173, id.326173, submit.661806) and the Tenda vendor site (tenda.com.cn). A proof-of-concept exploit has been publicly released on GitHub (maximdevere/CVE2/issues/2).

The public availability of the exploit indicates potential for active exploitation.

Details

CWE(s)
CWE-119CWE-120

Affected Products

tenda
ac21 firmware
≤ 16.03.08.16

CVEs Like This One

CVE-2026-4565Same product: Tenda Ac21
CVE-2025-10838Same product: Tenda Ac21
CVE-2025-12611Same product: Tenda Ac21
CVE-2025-13446Same product: Tenda Ac21
CVE-2026-1637Same product: Tenda Ac21
CVE-2026-2148Same product: Tenda Ac21
CVE-2025-13445Same product: Tenda Ac21
CVE-2026-1638Same product: Tenda Ac21
CVE-2025-12232Same vendor: Tenda
CVE-2026-7057Same vendor: Tenda

References