CVE-2025-8940
Published: 14 August 2025
Summary
CVE-2025-8940 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac20 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 33.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces validation of the 'Time' input parameter to prevent buffer overflow from oversized or malformed data in the /goform/saveParentControlInfo endpoint.
Implements memory protections like stack canaries, ASLR, and DEP to mitigate exploitation of the buffer overflow for arbitrary code execution.
Requires identification, prioritization, and timely remediation of the buffer overflow flaw via firmware patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in the web management interface (/goform/saveParentControlInfo) of Tenda AC20 router enables remote exploitation of a public-facing application.
NVD Description
A vulnerability was identified in Tenda AC20 up to 16.03.08.12. Affected by this vulnerability is the function strcpy of the file /goform/saveParentControlInfo. The manipulation of the argument Time leads to buffer overflow. The attack can be launched remotely. The exploit…
more
has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-8940 is a buffer overflow vulnerability affecting Tenda AC20 routers running firmware versions up to 16.03.08.12. The issue resides in the strcpy function within the /goform/saveParentControlInfo endpoint, where manipulation of the Time argument triggers the overflow. Classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input), it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
The vulnerability enables remote exploitation by an attacker with low privileges, such as an authenticated user on the network. By sending a crafted request to the affected endpoint, the attacker can overflow the buffer, potentially leading to arbitrary code execution, data corruption, or denial of service. The low attack complexity and lack of required user interaction make it straightforward to exploit over the network.
References, including a GitHub repository with a proof-of-concept exploit and VULDB entries, confirm the vulnerability details and public disclosure of the exploit. No specific patches or vendor mitigations are detailed in the available information.
Details
- CWE(s)