CVE-2025-11325
Published: 06 October 2025
Summary
CVE-2025-11325 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac18 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates the Username input to /goform/fast_setting_pppoe_set, preventing the stack-based buffer overflow exploitation.
Mandates timely patching of the buffer overflow flaw in Tenda AC18 firmware version 15.03.05.19(6318) to eliminate the vulnerability.
Deploys memory protections such as stack canaries, ASLR, and DEP to block successful exploitation of the stack-based buffer overflow.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remotely exploitable stack-based buffer overflow in the public-facing web interface (/goform/fast_setting_pppoe_set) of the Tenda AC18 router, enabling exploitation of a public-facing application.
NVD Description
A security flaw has been discovered in Tenda AC18 15.03.05.19(6318). Affected by this issue is some unknown functionality of the file /goform/fast_setting_pppoe_set. Performing a manipulation of the argument Username results in stack-based buffer overflow. The attack is possible to be…
more
carried out remotely. The exploit has been released to the public and may be used for attacks.
Deeper analysisAI
CVE-2025-11325 is a stack-based buffer overflow vulnerability (CWE-119, CWE-121) affecting the Tenda AC18 router on firmware version 15.03.05.19(6318). The issue resides in an unknown functionality of the /goform/fast_setting_pppoe_set file, where manipulation of the Username argument triggers the overflow. Published on 2025-10-06, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The vulnerability enables remote exploitation by attackers possessing low privileges, with low attack complexity and no requirement for user interaction. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution or system compromise on affected devices.
Advisories on VulDB (ctiid.327208, id.327208, submit.664527) document the issue, while a proof-of-concept exploit is publicly available on GitHub at noahze01/IoT-vulnerable/Tenda/AC18/fast_setting_pppoe_set.md. The Tenda website (tenda.com.cn) provides a contact point for vendor guidance on patches or mitigations.
The public release of the exploit heightens the risk of real-world attacks against unpatched Tenda AC18 devices.
Details
- CWE(s)