Cyber Resilience

CVE-2025-7914

High

Published: 21 July 2025

Published
21 July 2025
Modified
23 July 2025
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0109 78.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7914 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac6 Firmware. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-7914 is a critical buffer overflow vulnerability affecting the setparentcontrolinfo function within the httpd component of Tenda AC6 firmware version 15.03.06.50. The flaw stems from improper input validation that permits memory corruption, classified under CWE-119 and CWE-120, and carries a CVSS 4.0 score of 8.7 reflecting network-accessible attack conditions with low complexity and high impact on confidentiality, integrity, and availability.

An authenticated attacker can exploit the issue remotely by sending crafted requests to the web management interface, enabling potential arbitrary code execution or service disruption without user interaction.

Public references include a technical analysis and reproduction details hosted on GitHub along with entries in VulDB, while the vendor site provides no additional mitigation guidance in the available data. The associated EPSS score has remained flat at 0.0109 with no observed increase since disclosure.

EU & UK References

Vulnerability details

A vulnerability has been found in Tenda AC6 15.03.06.50 and classified as critical. Affected by this vulnerability is the function setparentcontrolinfo of the component httpd. The manipulation leads to buffer overflow. The attack can be launched remotely.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Buffer overflow in the httpd web server component of a network device (router) directly enables remote exploitation of a public-facing application by authenticated attackers, leading to RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-12225Same product: Tenda Ac6
CVE-2025-52221Same product: Tenda Ac6
CVE-2026-4961Same product: Tenda Ac6
CVE-2025-0349Same product: Tenda Ac6
CVE-2025-1814Same product: Tenda Ac6
CVE-2026-4960Same product: Tenda Ac6
CVE-2025-29031Same product: Tenda Ac6
CVE-2024-46450Same product: Tenda Ac6
CVE-2025-32010Same product: Tenda Ac6
CVE-2025-27129Same product: Tenda Ac6

Affected Assets

tenda
ac6 firmware
15.03.06.50

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents buffer overflow exploitation by validating and sanitizing inputs to the vulnerable setparentcontrolinfo function in the httpd component.

prevent

Implements memory safeguards such as stack canaries, ASLR, and DEP to block arbitrary code execution even if the buffer overflow in httpd is triggered.

prevent

Requires timely firmware updates to remediate the known buffer overflow vulnerability in Tenda AC6 httpd version 15.03.06.50.

References