CVE-2025-11385
Published: 07 October 2025
Summary
CVE-2025-11385 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac20 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents buffer overflows by requiring validation of untrusted inputs like the timeZone parameter before processing with functions such as sscanf.
SI-2 ensures timely patching of the specific buffer overflow flaw in the Tenda AC20 firmware to eliminate the vulnerability.
SI-16 mitigates buffer overflow exploitation through memory protections like ASLR and DEP, making arbitrary code execution unreliable.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in the public-facing web interface (/goform/fast_setting_wifi_set) via remote timeZone parameter manipulation enables exploitation of public-facing applications for unauthenticated remote code execution.
NVD Description
A vulnerability has been found in Tenda AC20 up to 16.03.08.12. The affected element is the function sscanf of the file /goform/fast_setting_wifi_set. The manipulation of the argument timeZone leads to buffer overflow. The attack can be initiated remotely. The exploit…
more
has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-11385 is a buffer overflow vulnerability affecting Tenda AC20 routers up to version 16.03.08.12. The issue resides in the sscanf function within the /goform/fast_setting_wifi_set file, where manipulation of the timeZone argument triggers the overflow. Published on 2025-10-07, it is associated with CWE-119 and CWE-120.
The vulnerability enables remote exploitation with low complexity (AC:L), requiring low privileges (PR:L) but no user interaction (UI:N) and no change in scope (S:U). Attackers can achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as reflected in its CVSS v3.1 base score of 8.8, potentially allowing arbitrary code execution or denial of service.
References point to a GitHub repository containing a proof-of-concept exploit and VulDB entries documenting the vulnerability. The exploit has been publicly disclosed and may be used by attackers. No specific patch or mitigation details are provided in the available information.
Details
- CWE(s)