Cyber Resilience

CVE-2025-29385

CriticalPublic PoC

Published: 14 March 2025

Published
14 March 2025
Modified
19 March 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0223 84.9th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-29385 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Tenda Ac9 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

The vulnerability is a stack-based buffer overflow in the cloneType parameter of the /goform/AdvSetMacMtuWan endpoint within Tenda AC9 v1.0 firmware version V15.03.05.14_multi. It is identified as CVE-2025-29385, carries a CVSS v3.1 score of 9.8, and is associated with CWE-787 for out-of-bounds writes that enable remote arbitrary code execution.

An unauthenticated attacker with network access can exploit the flaw by submitting a malicious HTTP request containing an oversized or malformed cloneType value, resulting in full compromise of the device's confidentiality, integrity, and availability without requiring user interaction.

A technical description of the issue is published at https://github.com/shuqi233/loophole/blob/main/Tenda%20AC9/AdvSetMacMtuWan3.md, although the supplied references contain no vendor advisory or patch information.

The associated EPSS score rose from a low baseline to a recorded peak of 0.0425, indicating emerging exploitation interest after public disclosure.

EU & UK References

Vulnerability details

In Tenda AC9 v1.0 V15.03.05.14_multi, the cloneType parameter of /goform/AdvSetMacMtuWan has a stack overflow vulnerability, which can lead to remote arbitrary code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The stack overflow vulnerability in the router's web interface endpoint /goform/AdvSetMacMtuWan enables remote arbitrary code execution, directly mapping to exploitation of a public-facing application.

CVEs Like This One

CVE-2025-29386Same product: Tenda Ac9
CVE-2025-29384Same product: Tenda Ac9
CVE-2025-29387Same product: Tenda Ac9
CVE-2025-22946Same product: Tenda Ac9
CVE-2026-6016Same product: Tenda Ac9
CVE-2026-2191Same product: Tenda Ac9
CVE-2026-2192Same product: Tenda Ac9
CVE-2025-22949Same product: Tenda Ac9
CVE-2026-6015Same product: Tenda Ac9
CVE-2025-29031Same vendor: Tenda

Affected Assets

tenda
ac9 firmware
15.03.05.14

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates the cloneType parameter in the /goform/AdvSetMacMtuWan endpoint to prevent stack overflows from malformed inputs leading to RCE.

prevent

Ensures timely application of firmware patches to remediate the specific stack overflow vulnerability in Tenda AC9 v1.0.

prevent

Deploys memory protection mechanisms like stack canaries and address space layout randomization to block exploitation of the stack overflow for arbitrary code execution.

References