CVE-2025-11389
Published: 07 October 2025
Summary
CVE-2025-11389 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac15 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents the stack-based buffer overflow by requiring validation of the 'enable' argument in the /goform/saveAutoQos function.
Mitigates the vulnerability by identifying, prioritizing, and applying firmware patches or updates for the Tenda AC15 buffer overflow flaw.
Protects against successful exploitation of the stack-based buffer overflow through memory safeguards like stack canaries, ASLR, and DEP.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in the Tenda AC15 router's public-facing web interface (/goform/saveAutoQos) enables remote exploitation of a public-facing application for potential RCE and initial access.
NVD Description
A security flaw has been discovered in Tenda AC15 15.03.05.18. Affected is an unknown function of the file /goform/saveAutoQos. Performing a manipulation of the argument enable results in stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit…
more
has been released to the public and may be used for attacks.
Deeper analysisAI
CVE-2025-11389 is a stack-based buffer overflow vulnerability affecting the Tenda AC15 router on firmware version 15.03.05.18. The issue lies in an unknown function within the /goform/saveAutoQos file, where manipulation of the "enable" argument triggers the overflow.
With a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), the vulnerability enables remote exploitation by low-privileged users over the network, requiring low attack complexity and no user interaction. Attackers can achieve high impacts on confidentiality, integrity, and availability, potentially leading to remote code execution.
Advisories reference a public exploit detailed in a GitHub repository at https://github.com/noahze01/IoT-vulnerable/blob/main/Tenda/AC15/saveAutoQos.md, along with VulDB entries at https://vuldb.com/?ctiid.327316, https://vuldb.com/?id.327316, and https://vuldb.com/?submit.664982. The vendor's site at https://www.tenda.com.cn/ is listed, but no specific patches or mitigations are detailed in the provided information.
The exploit has been publicly released, increasing the risk of real-world attacks against vulnerable Tenda AC15 devices.
Details
- CWE(s)