CVE-2025-29385
Published: 14 March 2025
Summary
CVE-2025-29385 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Tenda Ac9 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
The vulnerability is a stack-based buffer overflow in the cloneType parameter of the /goform/AdvSetMacMtuWan endpoint within Tenda AC9 v1.0 firmware version V15.03.05.14_multi. It is identified as CVE-2025-29385, carries a CVSS v3.1 score of 9.8, and is associated with CWE-787 for out-of-bounds writes that enable remote arbitrary code execution.
An unauthenticated attacker with network access can exploit the flaw by submitting a malicious HTTP request containing an oversized or malformed cloneType value, resulting in full compromise of the device's confidentiality, integrity, and availability without requiring user interaction.
A technical description of the issue is published at https://github.com/shuqi233/loophole/blob/main/Tenda%20AC9/AdvSetMacMtuWan3.md, although the supplied references contain no vendor advisory or patch information.
The associated EPSS score rose from a low baseline to a recorded peak of 0.0425, indicating emerging exploitation interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6519
Vulnerability details
In Tenda AC9 v1.0 V15.03.05.14_multi, the cloneType parameter of /goform/AdvSetMacMtuWan has a stack overflow vulnerability, which can lead to remote arbitrary code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The stack overflow vulnerability in the router's web interface endpoint /goform/AdvSetMacMtuWan enables remote arbitrary code execution, directly mapping to exploitation of a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly validates the cloneType parameter in the /goform/AdvSetMacMtuWan endpoint to prevent stack overflows from malformed inputs leading to RCE.
Ensures timely application of firmware patches to remediate the specific stack overflow vulnerability in Tenda AC9 v1.0.
Deploys memory protection mechanisms like stack canaries and address space layout randomization to block exploitation of the stack overflow for arbitrary code execution.