CVE-2025-8178

High

Published: 26 July 2025

Published

26 July 2025

Modified

01 August 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0037 59.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-8178 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac10 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the heap-based buffer overflow flaw in the Tenda AC10 firmware by identifying, prioritizing, and applying vendor patches.

SI-10 Information Input Validation good match

prevent

Requires validation of the 'device1D' argument in /goform/RequestsProcessLaid to block malformed inputs that trigger the heap buffer overflow.

SI-16 Memory Protection partial match

prevent

Implements memory protection mechanisms such as heap canaries or safe unlinking to mitigate exploitation of the heap buffer overflow.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Remote heap buffer overflow in public web form (/goform/RequestsProcessLaid) directly enables T1190 (Exploit Public-Facing Application) on the router; successful exploitation yields arbitrary code execution and full device compromise from low privileges, mapping to T1068 (Exploitation for Privilege Escalation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability classified as critical has been found in Tenda AC10 16.03.10.13. Affected is an unknown function of the file /goform/RequestsProcessLaid. The manipulation of the argument device1D leads to heap-based buffer overflow. It is possible to launch the attack remotely.…

The exploit has been disclosed to the public and may be used.

Deeper analysisAI

CVE-2025-8178 is a critical heap-based buffer overflow vulnerability (CWE-119, CWE-122) affecting Tenda AC10 routers running firmware version 16.03.10.13. The flaw resides in an unknown function within the /goform/RequestsProcessLaid file, where manipulation of the "device1D" argument triggers the overflow.

Attackers with low privileges (PR:L) can exploit this vulnerability remotely (AV:N) with low complexity (AC:L) and no user interaction (UI:N), as indicated by its CVSS v3.1 base score of 8.8 (C:H/I:H/A:H). Successful exploitation could grant high impacts on confidentiality, integrity, and availability, potentially allowing full compromise of the affected device.

VulDB advisories note that an exploit has been publicly disclosed and may be used in attacks. No specific patches or mitigations are detailed in the available references; security practitioners should monitor the vendor site at https://www.tenda.com.cn/ and related advisories such as those on VulDB for updates.

Details

CWE(s): CWE-119 CWE-122

Affected Products

tenda

ac10 firmware

16.03.10.13

CVEs Like This One

CVE-2026-5548Same product: Tenda Ac10

CVE-2025-12622Same product: Tenda Ac10

CVE-2025-25674Same product: Tenda Ac10

CVE-2025-67073Same product: Tenda Ac10

CVE-2025-25675Same product: Tenda Ac10

CVE-2026-5547Same product: Tenda Ac10

CVE-2025-15230Same vendor: Tenda

CVE-2026-5045Same vendor: Tenda

CVE-2026-3273Same vendor: Tenda

CVE-2026-3378Same vendor: Tenda

References

https://vuldb.com/?ctiid.317592
Permissions Required · cna@vuldb.com
https://vuldb.com/?id.317592
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.621811
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com
https://www.yuque.com/ba1ma0-an29k/nnxoap/qkixf5578145igdt
Permissions Required · cna@vuldb.com