CVE-2025-11325 Overview
CVE-2025-11325 is a stack-based buffer overflow vulnerability affecting Tenda AC18 routers running firmware version 15.03.05.19(6318). The flaw resides in the /goform/fast_setting_pppoe_set endpoint, where the Username parameter is processed without proper bounds checking. Attackers with low privileges can exploit the issue remotely over the network to corrupt stack memory. Public exploit details have been released, increasing the likelihood of opportunistic attacks against exposed devices. The weakness is categorized under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer).
Critical Impact
Remote attackers can trigger a stack-based buffer overflow on Tenda AC18 routers by sending a crafted Username value to /goform/fast_setting_pppoe_set, enabling potential code execution or device compromise.
Affected Products
- Tenda AC18 router (hardware)
- Tenda AC18 firmware 15.03.05.19(6318)
- Deployments exposing the web management interface to untrusted networks
Discovery Timeline
- 2025-10-06 - CVE-2025-11325 published to NVD
- 2026-02-24 - Last updated in NVD database
Technical Details for CVE-2025-11325
Vulnerability Analysis
The Tenda AC18 web management interface exposes the /goform/fast_setting_pppoe_set handler, which configures PPPoE credentials during quick setup. The handler reads the Username argument from the HTTP request and copies it into a fixed-size stack buffer without validating its length. Supplying an oversized value overflows the buffer, overwriting adjacent stack data including saved registers and the return address.
On MIPS-based Tenda devices, this class of overflow typically allows attackers to control the program counter once the function returns. Combined with the lack of address space layout randomization on many SOHO routers, the condition can be escalated from a denial-of-service crash to arbitrary code execution at the privilege level of the httpd process, which typically runs as root.
Root Cause
The root cause is missing input length validation on the Username parameter before it is copied into a stack-allocated buffer. The code path does not enforce a maximum length or use a bounded copy function, allowing user-supplied data to write past the end of the destination buffer.
Attack Vector
An attacker reaches the vulnerable endpoint over HTTP. Authentication to the router web UI is required, but Tenda devices frequently ship with weak or default credentials. The attacker submits a POST request to /goform/fast_setting_pppoe_set containing an overlong Username value, triggering the overflow during request processing. See the GitHub IoT Vulnerability Documentation and VulDB #327208 for technical specifics.
Detection Methods for CVE-2025-11325
Indicators of Compromise
- HTTP POST requests to /goform/fast_setting_pppoe_set containing abnormally long Username values exceeding typical PPPoE username lengths.
- Unexpected httpd process crashes or reboots on Tenda AC18 devices following web administration traffic.
- Outbound connections from the router to unfamiliar hosts, indicating possible post-exploitation activity.
Detection Strategies
- Inspect HTTP traffic destined for the router management interface for requests targeting /goform/fast_setting_pppoe_set with parameter values exceeding 64 bytes.
- Deploy network intrusion detection signatures matching oversized Username fields in PPPoE configuration requests.
- Correlate device crash logs with preceding HTTP administrative traffic to identify exploitation attempts.
Monitoring Recommendations
- Forward router syslog and authentication events to a centralized logging platform for anomaly review.
- Alert on configuration changes to PPPoE settings outside of approved maintenance windows.
- Monitor for new administrative sessions originating from external IP ranges.
How to Mitigate CVE-2025-11325
Immediate Actions Required
- Restrict access to the router web management interface to trusted internal networks only and disable remote administration from the WAN.
- Replace default and weak administrator credentials with strong unique passwords to limit the pool of attackers with the required low privileges.
- Segment IoT and SOHO routers from sensitive corporate assets to contain potential post-exploitation movement.
Patch Information
As of the latest NVD update on 2026-02-24, no vendor patch has been published for Tenda AC18 firmware 15.03.05.19(6318). Monitor the Tenda Official Website for firmware updates addressing this issue and apply them as soon as they become available.
Workarounds
- Disable the quick setup PPPoE configuration page on the router if not required for the deployment.
- Place the router management interface behind a VPN or jump host to prevent direct network exposure.
- Consider replacing end-of-life or unpatched Tenda AC18 devices with current models that receive active security maintenance.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

