Cyber Posture

CVE-2025-11386

HighPublic PoC

Published: 07 October 2025

Published
07 October 2025
Modified
09 October 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0026 49.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11386 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac15 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly validates the 'ddnsEn' POST parameter to prevent stack-based buffer overflow from malformed input.

SI-2 Flaw Remediation good match
prevent

Requires timely firmware patching for Tenda AC15 version 15.03.05.18 to remediate the known buffer overflow vulnerability.

SI-16 Memory Protection good match
prevent

Implements memory protections like stack canaries and ASLR to mitigate exploitation of the stack-based buffer overflow even if input validation fails.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability is a remotely exploitable stack-based buffer overflow in the Tenda AC15 router's web interface (/goform/SetDDNSCfg), enabling adversaries to exploit a public-facing application for potential remote code execution.

NVD Description

A vulnerability was found in Tenda AC15 15.03.05.18. The impacted element is an unknown function of the file /goform/SetDDNSCfg of the component POST Parameter Handler. The manipulation of the argument ddnsEn results in stack-based buffer overflow. The attack can be…

more

launched remotely. The exploit has been made public and could be used.

Deeper analysisAI

CVE-2025-11386 is a stack-based buffer overflow vulnerability in Tenda AC15 routers running firmware version 15.03.05.18. The flaw affects an unknown function in the /goform/SetDDNSCfg endpoint of the POST Parameter Handler component, where manipulation of the 'ddnsEn' argument triggers the overflow.

The vulnerability enables remote exploitation over the network by attackers possessing low privileges, with low attack complexity and no requirement for user interaction. Exploitation can result in high confidentiality, integrity, and availability impacts, as reflected in its CVSS 3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The exploit has been publicly released and is available for use.

Advisories reference a GitHub repository containing exploit details for the Tenda AC15 SetDDNSCfg vulnerability, along with VulDB entries (ctiid.327313, id.327313, submit.664969) tracking the issue. The official Tenda website is also listed, where practitioners should verify for any firmware patches or updates.

Details

CWE(s)
CWE-119CWE-121

Affected Products

tenda
ac15 firmware
15.03.05.18

CVEs Like This One

CVE-2025-11389Same product: Tenda Ac15
CVE-2025-11387Same product: Tenda Ac15
CVE-2025-11388Same product: Tenda Ac15
CVE-2025-0566Same product: Tenda Ac15
CVE-2026-3400Same product: Tenda Ac15
CVE-2026-5830Same product: Tenda Ac15
CVE-2026-4975Same product: Tenda Ac15
CVE-2026-24103Same product: Tenda Ac15
CVE-2025-25632Same product: Tenda Ac15
CVE-2026-24105Same product: Tenda Ac15

References