CVE-2025-11388
Published: 07 October 2025
Summary
CVE-2025-11388 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac15 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the stack-based buffer overflow flaw in the /goform/setNotUpgrade endpoint by identifying, reporting, and patching the vulnerable firmware.
Enforces validation of the newVersion parameter to prevent buffer overflow from improper input handling at the affected endpoint.
Implements memory safeguards like stack canaries or non-executable stacks to block arbitrary code execution from the buffer overflow exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in the public-facing web interface (/goform/setNotUpgrade) of Tenda AC15 router enables remote exploitation of a public-facing application for initial access, with public PoC available.
NVD Description
A vulnerability was identified in Tenda AC15 15.03.05.18. This impacts an unknown function of the file /goform/setNotUpgrade. Such manipulation of the argument newVersion leads to stack-based buffer overflow. The attack may be launched remotely. The exploit is publicly available and…
more
might be used.
Deeper analysisAI
CVE-2025-11388 is a stack-based buffer overflow vulnerability affecting Tenda AC15 routers running firmware version 15.03.05.18. The issue resides in an unknown function within the /goform/setNotUpgrade endpoint, where improper handling of the newVersion argument allows overflow conditions. This flaw, linked to CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), was published on 2025-10-07 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity.
Remote attackers with low privileges can exploit this vulnerability by manipulating the newVersion parameter in requests to the affected endpoint, potentially leading to arbitrary code execution, data compromise, or denial of service. The low attack complexity and lack of user interaction requirements make it accessible to authenticated users over the network, enabling high impacts on confidentiality, integrity, and availability.
Advisories from VulDB detail the vulnerability and reference a publicly available exploit on GitHub at https://github.com/noahze01/IoT-vulnerable/blob/main/Tenda/AC15/setNotUpgrade.md, which demonstrates the buffer overflow. The vendor's site at https://www.tenda.com.cn/ is listed, though no specific patches or mitigations are detailed in the provided references.
Notable context includes the public availability of the exploit, increasing the risk of real-world abuse against unpatched Tenda AC15 devices.
Details
- CWE(s)