Cyber Posture

CVE-2025-11326

HighPublic PoC

Published: 06 October 2025

Published
06 October 2025
Modified
24 February 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0028 51.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11326 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac18 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly enforces validation of the wifi_chkHz argument in /goform/WifiMacFilterSet to prevent stack-based buffer overflows from malformed remote inputs.

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and patching of the known buffer overflow flaw in Tenda AC18 firmware version 15.03.05.19(6318).

SI-16 Memory Protection good match
prevent

Implements memory protections such as stack canaries or non-executable stacks to mitigate exploitation of the stack-based buffer overflow vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Stack-based buffer overflow in the remotely accessible web endpoint /goform/WifiMacFilterSet allows exploitation of a public-facing application on the Tenda AC18 router.

NVD Description

A weakness has been identified in Tenda AC18 15.03.05.19(6318). This affects an unknown part of the file /goform/WifiMacFilterSet. Executing a manipulation of the argument wifi_chkHz can lead to stack-based buffer overflow. The attack may be performed from remote. The exploit…

more

has been made available to the public and could be used for attacks.

Deeper analysisAI

CVE-2025-11326 is a stack-based buffer overflow vulnerability (CWE-119, CWE-121) affecting the Tenda AC18 router on firmware version 15.03.05.19(6318). The issue lies in the /goform/WifiMacFilterSet component, where manipulation of the wifi_chkHz argument triggers the overflow. Published on 2025-10-06, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

The vulnerability enables remote exploitation by an attacker with low privileges over the network, requiring low complexity and no user interaction. Successful attacks can result in high impacts to confidentiality, integrity, and availability, potentially leading to arbitrary code execution and full device compromise.

Advisories from VulDB (ctiid.327209, id.327209, submit.664530) document the flaw and note that a public exploit is available in a GitHub repository detailing the Tenda AC18 WifiMacFilterSet vulnerability. The vendor's site (tenda.com.cn) is referenced, but no specific patches or mitigation steps are outlined in the provided references.

Details

CWE(s)
CWE-119CWE-121

Affected Products

tenda
ac18 firmware
15.03.05.19\(6318\)

CVEs Like This One

CVE-2025-11324Same product: Tenda Ac18
CVE-2025-11122Same product: Tenda Ac18
CVE-2025-11123Same product: Tenda Ac18
CVE-2025-14993Same product: Tenda Ac18
CVE-2025-11325Same product: Tenda Ac18
CVE-2025-14992Same product: Tenda Ac18
CVE-2025-11328Same product: Tenda Ac18
CVE-2025-11327Same product: Tenda Ac18
CVE-2024-57578Same product: Tenda Ac18
CVE-2024-57582Same product: Tenda Ac18

References