CVE-2025-11524
Published: 09 October 2025
Summary
CVE-2025-11524 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac7 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 enforces input validation at system entry points, directly preventing the stack-based buffer overflow from manipulation of the ddnsEn argument in /goform/SetDDNSCfg.
SI-2 requires timely identification, reporting, and correction of flaws like this buffer overflow in Tenda AC7 firmware version 15.03.06.44.
SI-16 implements memory protections such as stack canaries or DEP to prevent arbitrary code execution from the stack-based buffer overflow exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in the router's public-facing web interface (/goform/SetDDNSCfg) via remote POST request with ddnsEn parameter enables exploitation of a public-facing application for potential RCE.
NVD Description
A flaw has been found in Tenda AC7 15.03.06.44. This issue affects some unknown processing of the file /goform/SetDDNSCfg. This manipulation of the argument ddnsEn causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been published…
more
and may be used.
Deeper analysisAI
CVE-2025-11524 is a stack-based buffer overflow vulnerability in Tenda AC7 router firmware version 15.03.06.44. The flaw affects the processing of the /goform/SetDDNSCfg file, where manipulation of the ddnsEn argument triggers the overflow. Published on 2025-10-09, it is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).
The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network with low complexity by an attacker possessing low privileges, such as an authenticated user, and without requiring user interaction. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, potentially enabling arbitrary code execution, data compromise, or denial of service.
Advisories from VulDB (ctiid.327662, id.327662, submit.669852) document the issue, and a proof-of-concept exploit has been published on GitHub at https://github.com/noahze01/IoT-vulnerable/blob/main/Tenda/AC7/SetDDNSCfg.md, which may be used by attackers. The Tenda website (https://www.tenda.com.cn/) is referenced, but no specific patch or mitigation details are provided in the available information.
The published exploit heightens the risk of real-world exploitation against unpatched Tenda AC7 devices.
Details
- CWE(s)