CVE-2025-15356
Published: 30 December 2025
Summary
CVE-2025-15356 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac20 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and correction of the buffer overflow flaw in the Tenda AC20 /goform/PowerSaveSet function via patches or updates.
Implements validation and sanitization of user inputs like powerSavingEn, time, powerSaveDelay, and ledCloseType to prevent buffer overflows in the sscanf function.
Deploys memory protection mechanisms such as stack canaries, ASLR, and DEP to mitigate exploitation of the buffer overflow even if inputs are malformed.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in router web interface (/goform/PowerSaveSet) enables remote code execution via exploitation of a public-facing application.
NVD Description
A vulnerability has been found in Tenda AC20 up to 16.03.08.12. The impacted element is the function sscanf of the file /goform/PowerSaveSet. The manipulation of the argument powerSavingEn/time/powerSaveDelay/ledCloseType leads to buffer overflow. The attack can be initiated remotely. The exploit…
more
has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-15356 is a buffer overflow vulnerability affecting Tenda AC20 routers up to version 16.03.08.12. The issue resides in the sscanf function within the /goform/PowerSaveSet file, where manipulation of arguments such as powerSavingEn, time, powerSaveDelay, or ledCloseType triggers the overflow. It is classified under CWE-119 and CWE-120, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The vulnerability enables remote exploitation over the network with low attack complexity and requires only low privileges, such as a valid user account, without needing user interaction. Attackers can achieve high impacts across confidentiality, integrity, and availability, potentially leading to arbitrary code execution on the affected device.
Public references include proof-of-concept exploits disclosed on GitHub at repositories under xyh4ck/iot_poc, specifically detailing the Tenda AC20 buffer overflow, as well as entries on VulDB (ctiid.338742, id.338742, submit.726360). No vendor advisories or patches are specified in the available information.
The exploit has been publicly disclosed and may be used in the wild.
Details
- CWE(s)