CVE-2025-9791
Published: 01 September 2025
Summary
CVE-2025-9791 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac20 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation and sanitization of inputs like the wanMTU argument to prevent stack-based buffer overflows in the /goform/fromAdvSetMacMtuWan endpoint.
SI-16 implements memory protection mechanisms such as stack canaries and address space layout randomization to block exploitation of the stack buffer overflow even if triggered.
SI-2 mandates timely remediation of identified flaws like CVE-2025-9791 through firmware patching or replacement to eliminate the buffer overflow vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in the public-facing web management interface (/goform/fromAdvSetMacMtuWan) of Tenda AC20 router enables remote code execution, directly facilitating T1190 (Exploit Public-Facing Application) and T1210 (Exploitation of Remote Services).
NVD Description
A weakness has been identified in Tenda AC20 16.03.08.05. This vulnerability affects unknown code of the file /goform/fromAdvSetMacMtuWan. This manipulation of the argument wanMTU causes stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been made…
more
available to the public and could be exploited.
Deeper analysisAI
CVE-2025-9791 is a stack-based buffer overflow vulnerability affecting the Tenda AC20 router on firmware version 16.03.08.05. The flaw exists in unknown code within the /goform/fromAdvSetMacMtuWan file, triggered by manipulation of the wanMTU argument. It is associated with CWEs-119, CWE-121, and CWE-787, and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The vulnerability enables remote exploitation by attackers with low privileges, such as authenticated users, requiring only network access and low complexity with no user interaction. Successful exploitation can compromise confidentiality, integrity, and availability at a high level, potentially leading to arbitrary code execution on the affected device.
Advisories and references, including VulDB entries (ctiid.322106, id.322106, submit.641088) and a GitHub repository detailing the Tenda AC20 V16.03.08.05 issue with a proof-of-concept, confirm remote exploitability but do not specify patches or mitigations.
The exploit has been publicly released, heightening the risk of active exploitation against unpatched Tenda AC20 devices.
Details
- CWE(s)