CVE-2025-8160
Published: 25 July 2025
Summary
CVE-2025-8160 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac20 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 39.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires identifying, reporting, and correcting system flaws like this buffer overflow, directly mitigated by applying vendor patches or firmware updates for the affected Tenda AC20 httpd component.
SI-10 mandates validating information inputs such as the timeZone argument at the /goform/SetSysTimeCfg endpoint to prevent buffer overflows from malformed data.
SI-16 implements memory safeguards like address space layout randomization or data execution prevention to mitigate arbitrary code execution from successful buffer overflows.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in public-facing httpd (/goform/SetSysTimeCfg) enables remote exploitation for initial access (T1190) and application/system DoS (T1499.004), with public PoC confirming remote trigger for crash or potential RCE.
NVD Description
A vulnerability classified as critical has been found in Tenda AC20 up to 16.03.08.12. Affected is an unknown function of the file /goform/SetSysTimeCfg of the component httpd. The manipulation of the argument timeZone leads to buffer overflow. It is possible…
more
to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-8160 is a critical buffer overflow vulnerability affecting Tenda AC20 routers up to version 16.03.08.12. The flaw exists in an unknown function of the /goform/SetSysTimeCfg file within the httpd component, where manipulation of the timeZone argument triggers the overflow. Published on 2025-07-25, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWEs-119 and CWE-120.
The vulnerability enables remote exploitation by an attacker possessing low privileges, requiring only network access, low attack complexity, and no user interaction. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution, data compromise, or system disruption on the affected router.
Advisories and additional details are documented on VulDB (ctiid.317574, id.317574, submit.620625) and a GitHub repository at CH13hh/cve/blob/main/tenda1.md, which discloses a public exploit. The vendor's site at tenda.com.cn is also referenced, though specific mitigation or patch guidance is not detailed in the initial disclosure. The exploit has been made publicly available and may be actively used.
Details
- CWE(s)