CVE-2025-52221
Published: 08 April 2026
Summary
CVE-2025-52221 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Tenda Ac6 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 mandates validation of inputs such as funcname, funcpara1, and funcpara2 to prevent buffer overflows from malformed or oversized parameters in the formSetCfm function.
SI-16 provides memory protections like non-executable memory and address randomization to mitigate exploitation of the buffer overflow even if invalid inputs are processed.
SI-2 requires identification, reporting, and correction of the specific buffer overflow flaw in the formSetCfm function through timely patching or code remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in unauthenticated web endpoint (formSetCfm) on public-facing router firmware directly enables remote code execution via crafted HTTP parameters.
NVD Description
Tenda AC6 15.03.05.16_multi is vulnerable to Buffer Overflow in the formSetCfm function via the funcname, funcpara1, and funcpara2 parameters.
Deeper analysisAI
CVE-2025-52221 is a buffer overflow vulnerability affecting Tenda AC6 routers running firmware version 15.03.05.16_multi. The issue resides in the formSetCfm function and can be triggered through specially crafted values in the funcname, funcpara1, and funcpara2 parameters. It is associated with CWE-787 (Out-of-bounds Write) and CWE-120 (Buffer Copy without Checking Size of Input), and was published on 2026-04-08T18:24:51.257 with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
The vulnerability enables remote exploitation over the network with low complexity, requiring no privileges, authentication, or user interaction. Attackers can send malicious requests to the affected formSetCfm endpoint, potentially leading to arbitrary code execution, data disclosure, system modification, or denial of service due to the high impact on confidentiality, integrity, and availability.
Technical details on the vulnerability, including exploit information, are documented in community GitHub repositories such as https://github.com/faqiadegege/IoTVuln/blob/main/tendaAc6_formSetCfm_funcname_overflow/detail.md and https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md. No vendor advisories or patches are referenced in the available data.
Details
- CWE(s)