CVE-2025-1851
Published: 03 March 2025
Summary
CVE-2025-1851 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac7 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the stack-based buffer overflow in the formSetFirewallCfg function by identifying, prioritizing, and applying firmware patches or upgrades for affected Tenda AC7 routers.
Requires validation and sanitization of the firewallEn argument in the /goform/SetFirewallCfg endpoint to prevent buffer overflow exploitation via improper input handling.
Implements memory protection mechanisms such as stack canaries, ASLR, and non-executable stacks to mitigate successful stack-based buffer overflow exploitation leading to arbitrary code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in the public-facing web management interface (/goform/SetFirewallCfg) of Tenda AC7 router allows remote unauthenticated attackers to achieve root code execution via crafted firewallEn input.
NVD Description
A vulnerability, which was classified as critical, was found in Tenda AC7 up to 15.03.06.44. This affects the function formSetFirewallCfg of the file /goform/SetFirewallCfg. The manipulation of the argument firewallEn leads to stack-based buffer overflow. It is possible to initiate…
more
the attack remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-1851 is a critical stack-based buffer overflow vulnerability affecting Tenda AC7 routers running firmware versions up to 15.03.06.44. The issue resides in the formSetFirewallCfg function within the /goform/SetFirewallCfg endpoint, where manipulation of the firewallEn argument triggers the overflow. Classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on March 3, 2025.
The vulnerability enables remote exploitation by low-privileged users (PR:L), requiring no user interaction and low attack complexity over the network. Successful exploitation allows attackers to achieve high impacts on confidentiality, integrity, and availability, potentially leading to arbitrary code execution, denial of service, or full compromise of the affected device.
Advisories from VulDB and a public GitHub repository detail the vulnerability, including a disclosed exploit in the Raining-101/IOT_cve project targeting the specific firmware version. No vendor patch is referenced in available sources, though the Tenda website is listed for potential firmware updates. Security practitioners should isolate affected devices and monitor for exploitation attempts given the public PoC availability.
The exploit has been publicly disclosed and may be actively used, increasing risk for unpatched Tenda AC7 deployments in home or small office environments.
Details
- CWE(s)