Cyber Posture

CVE-2025-13446

HighPublic PoC

Published: 20 November 2025

Published
20 November 2025
Modified
21 November 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0044 63.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-13446 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac21 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 36.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly validates manipulated timeZone/time arguments to prevent stack-based buffer overflow in /goform/SetSysTimeCfg.

SI-16 Memory Protection good match
prevent

Implements memory protections like stack canaries or DEP to block arbitrary code execution from the stack buffer overflow.

SI-2 Flaw Remediation good match
prevent

Requires timely flaw remediation via firmware patching for the publicly exploited buffer overflow in Tenda AC21 v16.03.08.16.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The stack-based buffer overflow vulnerability (CVE-2025-13446) in the Tenda AC21 router's public-facing web management interface (/goform/SetSysTimeCfg) enables remote unauthenticated exploitation for potential remote code execution.

NVD Description

A vulnerability has been found in Tenda AC21 16.03.08.16. This vulnerability affects unknown code of the file /goform/SetSysTimeCfg. The manipulation of the argument timeZone/time leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit…

more

has been disclosed to the public and may be used.

Deeper analysisAI

CVE-2025-13446 is a stack-based buffer overflow vulnerability in Tenda AC21 firmware version 16.03.08.16. The flaw affects unknown code in the /goform/SetSysTimeCfg file, where manipulation of the timeZone or time arguments triggers the overflow. It is classified under CWE-119 and CWE-121, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote exploitation.

An attacker with low privileges can exploit this vulnerability remotely without user interaction. By sending crafted requests to the vulnerable endpoint, they can achieve high impacts on confidentiality, integrity, and availability, likely enabling arbitrary code execution on the affected device.

Exploit details have been publicly disclosed, as documented in advisories on VulDB (ctiid.333018, id.333018, submit.694425) and GitHub repositories at Madgeaaaaa/MY_VULN_2/blob/main/Tenda/VULN8.md and VULN9.md. The CVE was published on 2025-11-20, and these resources indicate the exploit may be actively used.

Details

CWE(s)
CWE-119CWE-121

Affected Products

tenda
ac21 firmware
16.03.08.16

CVEs Like This One

CVE-2026-1637Same product: Tenda Ac21
CVE-2025-10838Same product: Tenda Ac21
CVE-2025-11091Same product: Tenda Ac21
CVE-2026-4565Same product: Tenda Ac21
CVE-2025-13445Same product: Tenda Ac21
CVE-2026-2148Same product: Tenda Ac21
CVE-2025-12611Same product: Tenda Ac21
CVE-2026-1638Same product: Tenda Ac21
CVE-2025-9605Same product: Tenda Ac21
CVE-2025-14992Same vendor: Tenda

References