Cyber Resilience

CVE-2025-8178

High

Published: 26 July 2025

Published
26 July 2025
Modified
01 August 2025
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0113 78.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-8178 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac10 Firmware. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A critical heap-based buffer overflow vulnerability, tracked as CVE-2025-8178 and assigned CWE-119 and CWE-122, affects the Tenda AC10 wireless router running firmware 16.03.10.13. The flaw resides in an unknown function within the /goform/RequestsProcessLaid endpoint; unsanitized input supplied to the device1D argument can corrupt heap memory and is reachable over the network.

An attacker with low-privileged network access can send a crafted request to trigger the overflow. Successful exploitation may allow arbitrary code execution or a denial-of-service condition on the device, consistent with the CVSS 7.4 rating that reflects high impact on confidentiality, integrity, and availability. A public exploit for the issue has already been disclosed.

The EPSS score remains low and unchanged at 0.0113 with no observed upward trajectory after publication. No vendor advisory or patch information is provided in the available references, which include only vulnerability database entries and the vendor’s general site.

EU & UK References

Vulnerability details

A vulnerability classified as critical has been found in Tenda AC10 16.03.10.13. Affected is an unknown function of the file /goform/RequestsProcessLaid. The manipulation of the argument device1D leads to heap-based buffer overflow. It is possible to launch the attack remotely.…

more

The exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Remote heap buffer overflow in public web form (/goform/RequestsProcessLaid) directly enables T1190 (Exploit Public-Facing Application) on the router; successful exploitation yields arbitrary code execution and full device compromise from low privileges, mapping to T1068 (Exploitation for Privilege Escalation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-5548Same product: Tenda Ac10
CVE-2025-12622Same product: Tenda Ac10
CVE-2025-67073Same product: Tenda Ac10
CVE-2025-25674Same product: Tenda Ac10
CVE-2026-5547Same product: Tenda Ac10
CVE-2025-25675Same product: Tenda Ac10
CVE-2025-15230Same vendor: Tenda
CVE-2026-3273Same vendor: Tenda
CVE-2026-2910Same vendor: Tenda
CVE-2026-3168Same vendor: Tenda

Affected Assets

tenda
ac10 firmware
16.03.10.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the heap-based buffer overflow flaw in the Tenda AC10 firmware by identifying, prioritizing, and applying vendor patches.

prevent

Requires validation of the 'device1D' argument in /goform/RequestsProcessLaid to block malformed inputs that trigger the heap buffer overflow.

prevent

Implements memory protection mechanisms such as heap canaries or safe unlinking to mitigate exploitation of the heap buffer overflow.

References