CVE-2025-29386
Published: 14 March 2025
Summary
CVE-2025-29386 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Tenda Ac9 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
Tenda AC9 v1.0 running firmware V15.03.05.14_multi contains a stack-based buffer overflow in the mac parameter handler at the /goform/AdvSetMacMtuWan endpoint. The flaw is tracked as CVE-2025-29386, carries a CVSS 3.1 score of 9.8, and is classified under CWE-787. Successful exploitation permits remote arbitrary code execution on the device.
An unauthenticated attacker with network access to the WAN or LAN interface can supply a crafted mac value that overflows the stack buffer. Because the vulnerability requires no credentials or user interaction, an adversary can achieve full control of the router, including the ability to read, modify, or delete data and to disrupt device operation.
The EPSS score for this CVE rose from a low baseline to a recorded peak of 0.0425, indicating that exploitation interest increased after public disclosure. The sole reference currently available is a technical write-up hosted on GitHub that describes the vulnerable parameter and proof-of-concept details; no vendor advisory or firmware patch information is included in the supplied data.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6522
Vulnerability details
In Tenda AC9 v1.0 V15.03.05.14_multi, the mac parameter of /goform/AdvSetMacMtuWan has a stack overflow vulnerability, which can lead to remote arbitrary code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack overflow in the /goform/AdvSetMacMtuWan web endpoint enables remote arbitrary code execution on the public-facing router management interface.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely identification, reporting, and correction of system flaws like this stack overflow, enabling firmware patching to eliminate the vulnerability.
SI-10 mandates validation of information inputs such as the 'mac' parameter with bounds checking to directly prevent stack buffer overflows from crafted HTTP requests.
SI-16 implements memory protections like stack canaries and DEP to prevent or detect exploitation of stack overflows leading to arbitrary code execution.