Cyber Resilience

CVE-2025-1851

High

Published: 03 March 2025

Published
03 March 2025
Modified
10 April 2025
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0117 79.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1851 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac7 Firmware. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

A critical stack-based buffer overflow vulnerability affects the Tenda AC7 wireless router in firmware versions up to 15.03.06.44. The flaw resides in the formSetFirewallCfg function of the /goform/SetFirewallCfg endpoint and is triggered by unsanitized input to the firewallEn argument, corresponding to CWE-119 and CWE-121.

An attacker with low-privileged network access can send a crafted HTTP request to the affected endpoint and trigger the overflow remotely. Successful exploitation can result in arbitrary code execution or a crash that impacts confidentiality, integrity, and availability on the device.

Public references include a detailed proof-of-concept on GitHub and entries in VulDB, but no vendor advisory or patch information is provided in the available sources. The EPSS score remains flat at 0.0117 with no observed increase after disclosure.

EU & UK References

Vulnerability details

A vulnerability, which was classified as critical, was found in Tenda AC7 up to 15.03.06.44. This affects the function formSetFirewallCfg of the file /goform/SetFirewallCfg. The manipulation of the argument firewallEn leads to stack-based buffer overflow. It is possible to initiate…

more

the attack remotely. The exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Stack-based buffer overflow in the public-facing web management interface (/goform/SetFirewallCfg) of Tenda AC7 router allows remote unauthenticated attackers to achieve root code execution via crafted firewallEn input.

CVEs Like This One

CVE-2025-8017Same product: Tenda Ac7
CVE-2025-11528Same product: Tenda Ac7
CVE-2025-11525Same product: Tenda Ac7
CVE-2025-11527Same product: Tenda Ac7
CVE-2025-11586Same product: Tenda Ac7
CVE-2025-11526Same product: Tenda Ac7
CVE-2025-11524Same product: Tenda Ac7
CVE-2025-29135Same product: Tenda Ac7
CVE-2026-4974Same product: Tenda Ac7
CVE-2025-29137Same product: Tenda Ac7

Affected Assets

tenda
ac7 firmware
≤ 15.03.06.44

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the stack-based buffer overflow in the formSetFirewallCfg function by identifying, prioritizing, and applying firmware patches or upgrades for affected Tenda AC7 routers.

prevent

Requires validation and sanitization of the firewallEn argument in the /goform/SetFirewallCfg endpoint to prevent buffer overflow exploitation via improper input handling.

prevent

Implements memory protection mechanisms such as stack canaries, ASLR, and non-executable stacks to mitigate successful stack-based buffer overflow exploitation leading to arbitrary code execution.

References