CVE-2025-11324
Published: 06 October 2025
Summary
CVE-2025-11324 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac18 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the stack-based buffer overflow vulnerability in the /goform/setNotUpgrade endpoint by requiring identification, reporting, and correction of the flaw in Tenda AC18 firmware.
Prevents the buffer overflow by validating, sanitizing, or rejecting the manipulated newVersion argument before processing.
Mitigates successful exploitation of the stack-based buffer overflow using memory protection mechanisms such as stack canaries and address space layout randomization.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The remotely exploitable stack-based buffer overflow in the Tenda AC18 router's web management interface (/goform/setNotUpgrade) enables exploitation of a public-facing application for initial access.
NVD Description
A vulnerability was identified in Tenda AC18 15.03.05.19(6318). Affected by this vulnerability is an unknown functionality of the file /goform/setNotUpgrade. Such manipulation of the argument newVersion leads to stack-based buffer overflow. The attack can be executed remotely. The exploit is…
more
publicly available and might be used.
Deeper analysisAI
CVE-2025-11324 is a stack-based buffer overflow vulnerability in Tenda AC18 firmware version 15.03.05.19(6318). The flaw affects an unknown functionality within the /goform/setNotUpgrade file, where manipulation of the newVersion argument triggers the overflow. Published on 2025-10-06, it is associated with CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker can exploit this vulnerability remotely over the network with low privileges required and low attack complexity, without needing user interaction. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, potentially allowing arbitrary code execution on the affected device.
Advisories referenced in VulDB entries (ctiid.327207, id.327207, submit.664526) and a GitHub repository (noahze01/IoT-vulnerable/blob/main/Tenda/AC18/setNotUpgrade.md) detail the issue, with the exploit publicly available for potential use. The Tenda website (tenda.com.cn) is also listed as a reference, though specific patch details are not outlined in the available information.
The public availability of the exploit heightens the risk for unpatched Tenda AC18 devices.
Details
- CWE(s)