CVE-2025-11123
Published: 28 September 2025
Summary
CVE-2025-11123 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac18 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the stack-based buffer overflow by requiring timely remediation through firmware patching for the specific flaw in /goform/saveAutoQos.
Prevents the buffer overflow by enforcing validation of the 'enable' argument in the /goform/saveAutoQos endpoint to restrict operations within memory bounds.
Mitigates successful exploitation of the stack buffer overflow via memory protections like stack canaries, non-executable memory, and ASLR.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in the router's web management interface (/goform/saveAutoQos) via remote manipulation of the 'enable' parameter enables exploitation of a public-facing application for potential remote code execution.
NVD Description
A flaw has been found in Tenda AC18 15.03.05.19. This impacts an unknown function of the file /goform/saveAutoQos. This manipulation of the argument enable causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been published and…
more
may be used.
Deeper analysisAI
CVE-2025-11123 is a stack-based buffer overflow vulnerability affecting the Tenda AC18 router on firmware version 15.03.05.19. The issue resides in an unknown function within the /goform/saveAutoQos file, where manipulation of the "enable" argument triggers the overflow. Published on 2025-09-28, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).
A remote attacker with low privileges, such as an authenticated user, can exploit this vulnerability by sending a crafted request to the /goform/saveAutoQos endpoint. Successful exploitation leads to high-impact consequences, including potential arbitrary code execution, unauthorized data access, modification of system integrity, or denial of service due to the stack overflow.
Advisories and references, including VulDB entries (e.g., https://vuldb.com/?ctiid.326204) and GitHub proof-of-concept details (https://github.com/noahze01/IoT-vulnerable/blob/main/Tenda/AC18/saveAutoQos.md), document the issue but do not specify patches or mitigations in the available information.
The published exploit increases the risk of real-world attacks on exposed Tenda AC18 devices, particularly in IoT environments.
Details
- CWE(s)