CVE-2025-7914
Published: 21 July 2025
Summary
CVE-2025-7914 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac6 Firmware. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2025-7914 is a critical buffer overflow vulnerability affecting the setparentcontrolinfo function within the httpd component of Tenda AC6 firmware version 15.03.06.50. The flaw stems from improper input validation that permits memory corruption, classified under CWE-119 and CWE-120, and carries a CVSS 4.0 score of 8.7 reflecting network-accessible attack conditions with low complexity and high impact on confidentiality, integrity, and availability.
An authenticated attacker can exploit the issue remotely by sending crafted requests to the web management interface, enabling potential arbitrary code execution or service disruption without user interaction.
Public references include a technical analysis and reproduction details hosted on GitHub along with entries in VulDB, while the vendor site provides no additional mitigation guidance in the available data. The associated EPSS score has remained flat at 0.0109 with no observed increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22045
Vulnerability details
A vulnerability has been found in Tenda AC6 15.03.06.50 and classified as critical. Affected by this vulnerability is the function setparentcontrolinfo of the component httpd. The manipulation leads to buffer overflow. The attack can be launched remotely.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in the httpd web server component of a network device (router) directly enables remote exploitation of a public-facing application by authenticated attackers, leading to RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents buffer overflow exploitation by validating and sanitizing inputs to the vulnerable setparentcontrolinfo function in the httpd component.
Implements memory safeguards such as stack canaries, ASLR, and DEP to block arbitrary code execution even if the buffer overflow in httpd is triggered.
Requires timely firmware updates to remediate the known buffer overflow vulnerability in Tenda AC6 httpd version 15.03.06.50.