CVE-2025-9089
Published: 17 August 2025
Summary
CVE-2025-9089 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac20 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents the stack-based buffer overflow by validating argument list inputs to the sub_48E628 function in /goform/SetIpMacBind.
Mitigates exploitation of the stack-based buffer overflow through memory protection safeguards like stack canaries or non-executable memory.
Addresses the vulnerability by requiring timely remediation of the buffer overflow flaw via firmware patching or correction.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remotely exploitable stack-based buffer overflow in the Tenda AC20 router's web interface (/goform/SetIpMacBind), enabling exploitation of a public-facing application for potential remote code execution.
NVD Description
A vulnerability was determined in Tenda AC20 16.03.08.12. This issue affects the function sub_48E628 of the file /goform/SetIpMacBind. The manipulation of the argument list leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed…
more
to the public and may be used.
Deeper analysisAI
CVE-2025-9089 is a stack-based buffer overflow vulnerability affecting Tenda AC20 router firmware version 16.03.08.12. The flaw exists in the sub_48E628 function of the /goform/SetIpMacBind file, where manipulation of the argument list triggers the overflow. This remotely exploitable issue is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).
A remote attacker with low privileges (PR:L) can exploit the vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N) required. Exploitation grants high impacts on confidentiality (C:H), integrity (I:H), and availability (A:H), yielding a CVSS v3.1 base score of 8.8 in the unchanged scope (S:U). Successful attacks may enable arbitrary code execution or system compromise.
Advisories and references, including VulDB entries (ctiid.320357, id.320357, submit.632039), document the issue but do not specify patches or vendor mitigations. A GitHub repository provides a proof-of-concept Python exploit script for the vulnerability.
The exploit has been publicly disclosed and may be used by attackers targeting unpatched Tenda AC20 devices.
Details
- CWE(s)