CVE-2025-11528
Published: 09 October 2025
Summary
CVE-2025-11528 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac7 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely flaw remediation, directly addressing the stack-based buffer overflow by applying vendor patches or firmware updates to eliminate the vulnerability in /goform/saveAutoQos.
SI-10 mandates validation of information inputs like the 'enable' argument at the vulnerable endpoint, preventing the crafted manipulation that triggers the stack buffer overflow.
SI-16 enforces memory protections such as stack canaries or DEP, mitigating exploitation of the stack-based buffer overflow even if input validation fails.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in the /goform/saveAutoQos web endpoint of the Tenda AC7 router enables remote code execution via exploitation of a public-facing application.
NVD Description
A vulnerability was identified in Tenda AC7 15.03.06.44. This affects an unknown function of the file /goform/saveAutoQos. The manipulation of the argument enable leads to stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available…
more
and might be used.
Deeper analysisAI
CVE-2025-11528 is a stack-based buffer overflow vulnerability in Tenda AC7 routers running firmware version 15.03.06.44. The flaw affects an unknown function in the /goform/saveAutoQos file, triggered by manipulation of the "enable" argument. It is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The vulnerability enables remote exploitation by attackers who possess low privileges, such as authenticated users with limited access to the device. By sending crafted requests to the vulnerable endpoint, an attacker can overflow the stack, potentially achieving high-impact compromise including unauthorized data access, modification, and denial of service, up to remote code execution.
Advisories from VulDB (ctiid.327666, id.327666, submit.669859) document the issue, while a proof-of-concept exploit is publicly available on GitHub at https://github.com/noahze01/IoT-vulnerable/blob/main/Tenda/AC7/saveAutoQos.md. The vendor's site at https://www.tenda.com.cn/ provides general product information, but no specific patch or mitigation details are referenced in the available sources.
The publicly available exploit increases the risk of real-world exploitation against unpatched Tenda AC7 devices exposed to the internet.
Details
- CWE(s)