Skip to main content
CVE Vulnerability Database

CVE-2025-0566: Tenda AC15 Buffer Overflow Vulnerability

CVE-2025-0566 is a critical stack-based buffer overflow in Tenda AC15 Firmware affecting the formSetDevNetName function. Attackers can exploit this remotely to compromise devices. This article covers technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2025-0566 Overview

CVE-2025-0566 is a stack-based buffer overflow vulnerability in the Tenda AC15 router running firmware version 15.13.07.13. The flaw resides in the formSetDevNetName function within the /goform/SetDevNetName endpoint. Attackers can trigger the overflow by manipulating the mac argument supplied to this endpoint. The vulnerability is remotely exploitable across the network and has been publicly disclosed, increasing the risk of opportunistic exploitation against exposed devices. The issue is tracked under CWE-119 and CWE-787.

Critical Impact

Remote attackers with low privileges can corrupt stack memory on the device, potentially achieving arbitrary code execution and full compromise of the router.

Affected Products

  • Tenda AC15 (hardware)
  • Tenda AC15 firmware version 15.13.07.13
  • Deployments exposing the web management interface to untrusted networks

Discovery Timeline

  • 2025-01-19 - CVE-2025-0566 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-0566

Vulnerability Analysis

The vulnerability exists in the formSetDevNetName handler exposed through the /goform/SetDevNetName HTTP endpoint of the Tenda AC15 router. The handler processes a mac parameter supplied by the client and copies its contents into a fixed-size stack buffer without sufficient length validation. Because the input length is attacker-controlled, a crafted request can write past the buffer boundary, corrupting adjacent stack data including the saved return address. The flaw is reachable across the network and requires only low-privilege authentication to trigger. Successful exploitation can lead to denial of service or arbitrary code execution in the context of the router's web service, which typically runs with elevated privileges on the embedded Linux platform. The EPSS score of 8.654% places this vulnerability in a high percentile relative to other published CVEs, reflecting the disclosed proof-of-concept and the broad attack surface of consumer routers.

Root Cause

The root cause is missing or inadequate bounds checking on the mac parameter before it is copied into a stack-allocated buffer. Embedded router firmware frequently relies on unsafe string functions such as strcpy or sprintf to handle web form inputs, which permits stack frame corruption when input exceeds the destination buffer size. This pattern aligns with CWE-121 stack-based buffer overflow weaknesses commonly observed in Tenda goform handlers.

Attack Vector

An attacker sends an HTTP POST request to /goform/SetDevNetName containing an oversized mac parameter value. If the router's web management interface is reachable from the WAN or from a hostile LAN segment, the request triggers the overflow directly. On internal networks, a low-privileged user can authenticate and reach the endpoint without administrator credentials. The vulnerability manifests when the unchecked mac value overruns the stack buffer; reliable code execution typically requires bypassing the device's memory protections, but denial of service is straightforward.

No verified proof-of-concept code is published in authoritative sources. Refer to the VulDB entry #292527 for additional technical context.

Detection Methods for CVE-2025-0566

Indicators of Compromise

  • HTTP POST requests to /goform/SetDevNetName containing abnormally long mac parameter values exceeding typical 17-character MAC address strings
  • Unexpected reboots, crashes, or service restarts of the Tenda AC15 web management daemon
  • Unauthorized configuration changes to device naming or network settings following suspicious HTTP traffic

Detection Strategies

  • Inspect web server and access logs on the router for POST requests to /goform/SetDevNetName with oversized parameters
  • Deploy network intrusion detection signatures that flag HTTP requests to Tenda goform endpoints containing payloads larger than expected field lengths
  • Correlate router crash events with preceding inbound HTTP traffic to identify exploitation attempts

Monitoring Recommendations

  • Forward router syslog and management interface logs to a centralized logging platform for retention and analysis
  • Monitor for new or unauthorized administrative sessions targeting the router's web interface
  • Alert on any external exposure of the router management port reachable from the public internet

How to Mitigate CVE-2025-0566

Immediate Actions Required

  • Restrict access to the router's web management interface to trusted LAN hosts only and disable WAN-side administration
  • Change default and weak administrator credentials to reduce the pool of users able to reach authenticated endpoints
  • Segment the AC15 router from sensitive internal networks until a firmware update is available

Patch Information

As of the last NVD update on 2026-06-17, no vendor patch has been referenced in authoritative advisories for firmware version 15.13.07.13. Monitor the Tenda official website for firmware updates addressing the formSetDevNetName handler. Apply any released firmware update immediately upon availability.

Workarounds

  • Disable remote management features and ensure the web interface is not exposed to the WAN
  • Place the device behind an upstream firewall that filters HTTP traffic to the management interface
  • Replace the device with a supported alternative if no firmware fix is released within an acceptable timeframe
  • Apply access control lists limiting /goform/ endpoint access to authorized administrator IP addresses

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.