Cyber Resilience

CVE-2025-29386

CriticalPublic PoC

Published: 14 March 2025

Published
14 March 2025
Modified
19 March 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0223 84.9th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-29386 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Tenda Ac9 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

Tenda AC9 v1.0 running firmware V15.03.05.14_multi contains a stack-based buffer overflow in the mac parameter handler at the /goform/AdvSetMacMtuWan endpoint. The flaw is tracked as CVE-2025-29386, carries a CVSS 3.1 score of 9.8, and is classified under CWE-787. Successful exploitation permits remote arbitrary code execution on the device.

An unauthenticated attacker with network access to the WAN or LAN interface can supply a crafted mac value that overflows the stack buffer. Because the vulnerability requires no credentials or user interaction, an adversary can achieve full control of the router, including the ability to read, modify, or delete data and to disrupt device operation.

The EPSS score for this CVE rose from a low baseline to a recorded peak of 0.0425, indicating that exploitation interest increased after public disclosure. The sole reference currently available is a technical write-up hosted on GitHub that describes the vulnerable parameter and proof-of-concept details; no vendor advisory or firmware patch information is included in the supplied data.

EU & UK References

Vulnerability details

In Tenda AC9 v1.0 V15.03.05.14_multi, the mac parameter of /goform/AdvSetMacMtuWan has a stack overflow vulnerability, which can lead to remote arbitrary code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Stack overflow in the /goform/AdvSetMacMtuWan web endpoint enables remote arbitrary code execution on the public-facing router management interface.

CVEs Like This One

CVE-2025-29385Same product: Tenda Ac9
CVE-2025-29384Same product: Tenda Ac9
CVE-2025-29387Same product: Tenda Ac9
CVE-2025-22946Same product: Tenda Ac9
CVE-2026-6016Same product: Tenda Ac9
CVE-2026-2191Same product: Tenda Ac9
CVE-2026-2192Same product: Tenda Ac9
CVE-2025-22949Same product: Tenda Ac9
CVE-2026-6015Same product: Tenda Ac9
CVE-2025-29031Same vendor: Tenda

Affected Assets

tenda
ac9 firmware
15.03.05.14

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely identification, reporting, and correction of system flaws like this stack overflow, enabling firmware patching to eliminate the vulnerability.

prevent

SI-10 mandates validation of information inputs such as the 'mac' parameter with bounds checking to directly prevent stack buffer overflows from crafted HTTP requests.

preventdetect

SI-16 implements memory protections like stack canaries and DEP to prevent or detect exploitation of stack overflows leading to arbitrary code execution.

References