CVE-2025-11586
Published: 10 October 2025
Summary
CVE-2025-11586 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac7 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely flaw remediation, directly addressing the stack-based buffer overflow in /goform/setNotUpgrade by applying vendor patches or mitigations for CVE-2025-11586.
SI-10 mandates information input validation, preventing the buffer overflow triggered by manipulating the newVersion argument in the vulnerable endpoint.
SI-16 enforces memory protection mechanisms like stack canaries and ASLR, mitigating exploitation of the stack-based buffer overflow even if input validation fails.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in the public-facing web management interface (/goform/setNotUpgrade) of Tenda AC7 router enables remote code execution without authentication.
NVD Description
A vulnerability was determined in Tenda AC7 15.03.06.44. This affects an unknown function of the file /goform/setNotUpgrade. This manipulation of the argument newVersion causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been…
more
publicly disclosed and may be utilized.
Deeper analysisAI
CVE-2025-11586 is a stack-based buffer overflow vulnerability affecting the Tenda AC7 router version 15.03.06.44. The issue resides in an unknown function of the /goform/setNotUpgrade file, where manipulation of the newVersion argument triggers the overflow. Associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), it was published on 2025-10-10 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Remote attackers with low privileges can exploit this vulnerability without user interaction. By sending crafted requests to the vulnerable endpoint, they can trigger the buffer overflow, potentially achieving high impacts on confidentiality, integrity, and availability, such as arbitrary code execution on the device.
References include GitHub details on the vulnerability and a proof-of-concept exploit, along with VulDB entries (ctiid.327908, id.327908, submit.671597). No vendor patches or specific mitigation guidance from advisories are detailed in the provided information, though the public disclosure of the exploit heightens the risk of real-world attacks.
Details
- CWE(s)