CVE-2025-11387
Published: 07 October 2025
Summary
CVE-2025-11387 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac15 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation and bounds checking of the Password argument in /goform/fast_setting_pppoe_set to directly prevent stack-based buffer overflow exploitation.
Implements memory protections such as stack canaries, non-executable stacks, and ASLR to mitigate successful exploitation of the stack buffer overflow.
Mandates timely remediation of the identified buffer overflow flaw through firmware patching to eliminate the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in the router's web management interface (/goform/fast_setting_pppoe_set) via remote manipulation of the Password parameter enables remote code execution, facilitating exploitation of a public-facing application.
NVD Description
A vulnerability was determined in Tenda AC15 15.03.05.18. This affects an unknown function of the file /goform/fast_setting_pppoe_set. This manipulation of the argument Password causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been publicly disclosed and…
more
may be utilized.
Deeper analysisAI
CVE-2025-11387 is a stack-based buffer overflow vulnerability affecting the Tenda AC15 router on firmware version 15.03.05.18. The flaw exists in an unknown function of the /goform/fast_setting_pppoe_set file, where manipulation of the Password argument triggers the overflow. It is classified under CWE-119 and CWE-121, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A remote attacker with low privileges, such as an authenticated user, can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation enables high-impact consequences, including unauthorized access to sensitive data, modification of system integrity, and denial of service, potentially leading to remote code execution via the buffer overflow.
Advisories note that the exploit has been publicly disclosed, with a proof-of-concept available at https://github.com/noahze01/IoT-vulnerable/blob/main/Tenda/AC15/fast_setting_pppoe_set.md. Additional details appear in VulDB entries at https://vuldb.com/?ctiid.327314, https://vuldb.com/?id.327314, and https://vuldb.com/?submit.664970. The vendor site is https://www.tenda.com.cn/, though no specific patch or mitigation guidance is detailed in the references.
Details
- CWE(s)