CVE-2025-11328
Published: 06 October 2025
Summary
CVE-2025-11328 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac18 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires identification, reporting, and correction of the stack-based buffer overflow flaw in the /goform/SetDDNSCfg handler.
Mandates validation of inputs like the ddnsEn argument to prevent buffer overflows from malformed data.
Implements memory safeguards such as stack canaries and ASLR to protect against stack-based buffer overflow exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in the public-facing web endpoint /goform/SetDDNSCfg allows remote exploitation for potential code execution on the Tenda AC18 router.
NVD Description
A vulnerability was detected in Tenda AC18 15.03.05.19(6318). This issue affects some unknown processing of the file /goform/SetDDNSCfg. The manipulation of the argument ddnsEn results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit is…
more
now public and may be used.
Deeper analysisAI
CVE-2025-11328 is a stack-based buffer overflow vulnerability (CWE-119, CWE-121) affecting Tenda AC18 routers on firmware version 15.03.05.19(6318). The flaw occurs in the processing of the /goform/SetDDNSCfg file, where manipulation of the ddnsEn argument triggers the overflow. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity.
An attacker with low privileges can exploit this remotely over the network with low complexity and no user interaction required. Successful exploitation enables high-impact consequences, including unauthorized access to sensitive data, modification of system behavior, and denial of service, with potential for arbitrary code execution due to the stack-based nature of the overflow.
References include a public exploit detailed on GitHub at https://github.com/noahze01/IoT-vulnerable/blob/main/Tenda/AC18/SetDDNSCfg.md and advisories from VulDB (https://vuldb.com/?ctiid.327211, https://vuldb.com/?id.327211). The Tenda vendor site (https://www.tenda.com.cn/) is listed for further information, though specific patch or mitigation details are not outlined in the available data. The exploit is public and may be used against vulnerable devices.
Details
- CWE(s)