CVE-2025-8940
Published: 14 August 2025
Summary
CVE-2025-8940 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac20 Firmware. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
A vulnerability has been identified in Tenda AC20 routers running firmware up to version 16.03.08.12. It resides in the strcpy function within the /goform/saveParentControlInfo endpoint, where improper handling of the Time argument allows a buffer overflow. The issue is tracked under CWE-119 and CWE-120 and carries a CVSS 4.0 score of 7.4, reflecting high impact on confidentiality, integrity, and availability when exploited over the network.
An authenticated remote attacker can supply a crafted Time parameter to trigger the overflow, potentially leading to arbitrary code execution or denial of service on the device. Public proof-of-concept code has been released, confirming that the attack requires only low attack complexity and no user interaction beyond valid credentials.
The EPSS score remains low and unchanged at 0.0155 with no observed increase after disclosure. Available references consist of public disclosure and exploit repositories rather than vendor advisories, so no official patch or mitigation guidance is documented in the provided sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-24670
Vulnerability details
A vulnerability was identified in Tenda AC20 up to 16.03.08.12. Affected by this vulnerability is the function strcpy of the file /goform/saveParentControlInfo. The manipulation of the argument Time leads to buffer overflow. The attack can be launched remotely. The exploit…
more
has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in the web management interface (/goform/saveParentControlInfo) of Tenda AC20 router enables remote exploitation of a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation of the 'Time' input parameter to prevent buffer overflow from oversized or malformed data in the /goform/saveParentControlInfo endpoint.
Implements memory protections like stack canaries, ASLR, and DEP to mitigate exploitation of the buffer overflow for arbitrary code execution.
Requires identification, prioritization, and timely remediation of the buffer overflow flaw via firmware patching.