CVE-2025-9046
Published: 15 August 2025
Summary
CVE-2025-9046 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac20 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces validation of the deviceList argument to prevent stack-based buffer overflows in the sub_46A2AC function of /goform/setMacFilterCfg.
Implements memory protections like stack canaries and DEP to block exploitation of the stack buffer overflow for arbitrary code execution.
Mandates risk-based remediation of the buffer overflow flaw via firmware patching to eliminate the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in the public-facing web management interface (/goform/setMacFilterCfg) of Tenda AC20 router enables remote code execution via manipulation of deviceList parameter, directly facilitating exploitation of public-facing applications.
NVD Description
A vulnerability was identified in Tenda AC20 16.03.08.12. This issue affects the function sub_46A2AC of the file /goform/setMacFilterCfg. The manipulation of the argument deviceList leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed…
more
to the public and may be used.
Deeper analysisAI
CVE-2025-9046 is a stack-based buffer overflow vulnerability affecting Tenda AC20 router firmware version 16.03.08.12. The flaw exists in the sub_46A2AC function of the /goform/setMacFilterCfg file, where manipulation of the deviceList argument triggers the overflow. Published on 2025-08-15, it is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), earning a CVSS v3.1 base score of 8.8.
The vulnerability enables remote exploitation by an attacker with low privileges over the network (AV:N/AC:L/PR:L/UI:N/S:U). No user interaction is required, and successful exploitation can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing arbitrary code execution on the affected device.
Advisories reference a public GitHub repository containing a PoC Python exploit script and documentation for the /goform/setMacFilterCfg endpoint. VulDB entries (ctiid.320267, id.320267) confirm the remote stack-based buffer overflow and public disclosure, but no vendor patches or specific mitigations are detailed in the provided references.
The exploit has been publicly disclosed and may be used, increasing the risk of real-world attacks against unpatched Tenda AC20 devices.
Details
- CWE(s)