CVE-2025-8060
Published: 23 July 2025
Summary
CVE-2025-8060 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac23 Firmware. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2025-8060 is a stack-based buffer overflow vulnerability affecting the Tenda AC23 wireless router running firmware version 16.03.07.52. It resides in the sub_46C940 function of the /goform/setMacFilterCfg endpoint inside the httpd component and is triggered by unsanitized input to the deviceList argument. The issue is tracked under CWE-119 and CWE-121 and carries a CVSS 4.0 score of 7.4.
An authenticated remote attacker can send a crafted HTTP request to the affected endpoint, causing memory corruption that may result in arbitrary code execution or a crash of the web server process. Public proof-of-concept code has already been released, confirming that the attack requires no user interaction beyond valid credentials and can be launched over the network.
The listed references point to a detailed technical write-up and VulDB entries but contain no vendor-supplied patch or mitigation guidance at the time of publication. The associated EPSS score remains flat at 0.0110 with no observed rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22406
Vulnerability details
A vulnerability has been found in Tenda AC23 16.03.07.52 and classified as critical. Affected by this vulnerability is the function sub_46C940 of the file /goform/setMacFilterCfg of the component httpd. The manipulation of the argument deviceList leads to stack-based buffer overflow.…
more
The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in the httpd web interface (/goform/setMacFilterCfg) allows remote unauthenticated attackers to achieve arbitrary code execution by manipulating the deviceList parameter, enabling exploitation of a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the stack-based buffer overflow vulnerability by applying vendor firmware patches or updates to the affected Tenda AC23 httpd component.
Validates and sanitizes the deviceList argument in the /goform/setMacFilterCfg endpoint to prevent the buffer overflow triggered by malformed input.
Implements memory protections such as stack canaries, ASLR, and DEP to block arbitrary code execution from the stack-based buffer overflow even if triggered.