Cyber Posture

CVE-2025-7914

High

Published: 21 July 2025

Published
21 July 2025
Modified
23 July 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0039 60.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7914 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac6 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents buffer overflow exploitation by validating and sanitizing inputs to the vulnerable setparentcontrolinfo function in the httpd component.

SI-16 Memory Protection good match
prevent

Implements memory safeguards such as stack canaries, ASLR, and DEP to block arbitrary code execution even if the buffer overflow in httpd is triggered.

SI-2 Flaw Remediation good match
prevent

Requires timely firmware updates to remediate the known buffer overflow vulnerability in Tenda AC6 httpd version 15.03.06.50.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Buffer overflow in the httpd web server component of a network device (router) directly enables remote exploitation of a public-facing application by authenticated attackers, leading to RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability has been found in Tenda AC6 15.03.06.50 and classified as critical. Affected by this vulnerability is the function setparentcontrolinfo of the component httpd. The manipulation leads to buffer overflow. The attack can be launched remotely.

Deeper analysisAI

CVE-2025-7914 is a critical buffer overflow vulnerability (CWE-119, CWE-120) in Tenda AC6 routers running firmware version 15.03.06.50. The flaw affects the setparentcontrolinfo function within the httpd component, where remote manipulation triggers the overflow.

With a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), the vulnerability can be exploited remotely by attackers possessing low privileges, such as authenticated users. Exploitation requires low complexity and no user interaction, potentially enabling high-impact compromise of confidentiality, integrity, and availability, including arbitrary code execution or system crashes.

Advisories on VulDB (ctiid.317029, id.317029, submit.618859) and a GitHub repository (gaochen61/IoTVuln) provide details on the issue, including a proof-of-concept for the Tenda AC6 V15.03.06.50 setparentcontrolinfo endpoint. The Tenda manufacturer website (tenda.com.cn) is referenced for further information.

Details

CWE(s)
CWE-119CWE-120

Affected Products

tenda
ac6 firmware
15.03.06.50

CVEs Like This One

CVE-2025-12225Same product: Tenda Ac6
CVE-2025-52221Same product: Tenda Ac6
CVE-2026-4960Same product: Tenda Ac6
CVE-2026-4961Same product: Tenda Ac6
CVE-2025-0349Same product: Tenda Ac6
CVE-2025-1814Same product: Tenda Ac6
CVE-2025-27129Same product: Tenda Ac6
CVE-2025-32010Same product: Tenda Ac6
CVE-2025-29030Same product: Tenda Ac6
CVE-2025-29031Same product: Tenda Ac6

References