CVE-2025-8178
Published: 26 July 2025
Summary
CVE-2025-8178 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac10 Firmware. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A critical heap-based buffer overflow vulnerability, tracked as CVE-2025-8178 and assigned CWE-119 and CWE-122, affects the Tenda AC10 wireless router running firmware 16.03.10.13. The flaw resides in an unknown function within the /goform/RequestsProcessLaid endpoint; unsanitized input supplied to the device1D argument can corrupt heap memory and is reachable over the network.
An attacker with low-privileged network access can send a crafted request to trigger the overflow. Successful exploitation may allow arbitrary code execution or a denial-of-service condition on the device, consistent with the CVSS 7.4 rating that reflects high impact on confidentiality, integrity, and availability. A public exploit for the issue has already been disclosed.
The EPSS score remains low and unchanged at 0.0113 with no observed upward trajectory after publication. No vendor advisory or patch information is provided in the available references, which include only vulnerability database entries and the vendor’s general site.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22779
Vulnerability details
A vulnerability classified as critical has been found in Tenda AC10 16.03.10.13. Affected is an unknown function of the file /goform/RequestsProcessLaid. The manipulation of the argument device1D leads to heap-based buffer overflow. It is possible to launch the attack remotely.…
more
The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote heap buffer overflow in public web form (/goform/RequestsProcessLaid) directly enables T1190 (Exploit Public-Facing Application) on the router; successful exploitation yields arbitrary code execution and full device compromise from low privileges, mapping to T1068 (Exploitation for Privilege Escalation).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the heap-based buffer overflow flaw in the Tenda AC10 firmware by identifying, prioritizing, and applying vendor patches.
Requires validation of the 'device1D' argument in /goform/RequestsProcessLaid to block malformed inputs that trigger the heap buffer overflow.
Implements memory protection mechanisms such as heap canaries or safe unlinking to mitigate exploitation of the heap buffer overflow.