CVE-2025-9023
Published: 15 August 2025
Summary
CVE-2025-9023 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac7 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the buffer overflow vulnerability by identifying, prioritizing, and applying firmware patches for the affected Tenda router versions.
Prevents buffer overflow exploitation by enforcing input validation mechanisms on the Time argument in the formSetSchedLed function.
Mitigates successful remote code execution from the buffer overflow through memory protections like ASLR and non-executable stacks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The unauthenticated remote buffer overflow in the Tenda router's web interface (/goform/SetLEDCfg formSetSchedLed Time parameter) enables exploitation of a public-facing application for initial access (T1190) and exploitation of remote services such as the web management interface (T1210), with public PoC available.
NVD Description
A vulnerability has been found in Tenda AC7 and AC18 15.03.05.19/15.03.06.44. Affected is the function formSetSchedLed of the file /goform/SetLEDCfg. The manipulation of the argument Time leads to buffer overflow. It is possible to launch the attack remotely. The exploit…
more
has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-9023 is a buffer overflow vulnerability (CWE-119, CWE-120) affecting Tenda AC7 and AC18 routers on firmware versions 15.03.05.19 and 15.03.06.44. The flaw resides in the formSetSchedLed function within the /goform/SetLEDCfg file, where manipulation of the Time argument triggers the overflow. Published on 2025-08-15, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Low-privileged remote attackers with network access (PR:L) can exploit this vulnerability without user interaction. Successful exploitation enables high-impact outcomes, including unauthorized data access (C:H), modification (I:H), and disruption (A:H), likely leading to remote code execution on the affected routers.
Details on the vulnerability and public exploits are documented in GitHub repositories at https://github.com/zezhifu1/cve_report/blob/main/AC18/formsetschedled.md and https://github.com/zezhifu1/cve_report/blob/main/AC7/formsetschedled.md, as well as VulDB entries at https://vuldb.com/?ctiid.320088, https://vuldb.com/?id.320088, and https://vuldb.com/?submit.629692. The exploit has been disclosed publicly and may be used.
The vulnerability's public exploit availability heightens risk for unpatched Tenda AC7 and AC18 deployments.
Details
- CWE(s)