CVE-2025-15218
Published: 30 December 2025
Summary
CVE-2025-15218 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac10U Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of the lanMask POST parameter to directly prevent buffer overflow from malicious input manipulation.
Mandates timely identification, reporting, and patching of the specific buffer overflow flaw in the router firmware.
Implements memory protections like DEP and stack canaries to block code execution from buffer overflow exploits.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in router web management interface (/goform/AdvSetLanip) via authenticated POST request enables remote code execution, directly mapping to exploitation of public-facing application.
NVD Description
A weakness has been identified in Tenda AC10U 15.03.06.48/15.03.06.49. Affected by this vulnerability is the function fromadvsetlanip of the file /goform/AdvSetLanip of the component POST Request Parameter Handler. Executing a manipulation of the argument lanMask can lead to buffer overflow.…
more
The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.
Deeper analysisAI
CVE-2025-15218 is a buffer overflow vulnerability (CWE-119, CWE-120) in Tenda AC10U routers running firmware versions 15.03.06.48 and 15.03.06.49. The flaw affects the fromadvsetlanip function in the /goform/AdvSetLanip file, part of the POST Request Parameter Handler component. It is triggered by manipulating the lanMask argument in a POST request, leading to a buffer overflow. The vulnerability was published on 2025-12-30 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The vulnerability enables remote exploitation by attackers with low privileges, such as authenticated users on the network. Low attack complexity and no user interaction are required, allowing exploitation over the network with unchanged scope. Successful attacks can result in high impacts to confidentiality, integrity, and availability, potentially enabling arbitrary code execution or full system compromise.
Advisories and additional details are available via VulDB entries (https://vuldb.com/?ctiid.338603, https://vuldb.com/?id.338603, https://vuldb.com/?submit.725461) and the Tenda vendor site (https://www.tenda.com.cn/). A public exploit write-up is hosted at https://lavender-bicycle-a5a.notion.site/Tenda-AC10U-fromadvsetlanip-2d753a41781f800c86c8d388a38e8101. Security practitioners should consult these resources for any patches or mitigations.
The exploit has been made publicly available and could be used for attacks.
Details
- CWE(s)