Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-25634

CVE-2025-25634: Tenda AC15 Buffer Overflow Vulnerability

CVE-2025-25634 is a stack-based buffer overflow vulnerability in Tenda AC15 Firmware affecting the GetParentControlInfo function. This security flaw could allow attackers to compromise the device. Learn about affected versions, impact, and mitigation.

Published:

CVE-2025-25634 Overview

CVE-2025-25634 is a stack-based buffer overflow vulnerability in the Tenda AC15 wireless router running firmware version 15.03.05.19. The flaw resides in the GetParentControlInfo function handling requests to /goform/GetParentControlInfo. Manipulation of the src argument overflows a fixed-size stack buffer, corrupting adjacent stack memory including the saved return address. The vulnerability is remotely reachable over the network without authentication or user interaction. It is classified under [CWE-121] Stack-Based Buffer Overflow.

Critical Impact

Unauthenticated network attackers can trigger memory corruption in the router's web management interface, potentially leading to denial of service or arbitrary code execution on the embedded device.

Affected Products

  • Tenda AC15 hardware device
  • Tenda AC15 firmware version 15.03.05.19
  • Deployments exposing the /goform/GetParentControlInfo endpoint

Discovery Timeline

  • 2025-03-05 - CVE-2025-25634 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-25634

Vulnerability Analysis

The Tenda AC15 exposes a web management interface implemented in the httpd binary. The interface routes requests to /goform/* endpoints, each mapped to a native C handler. The GetParentControlInfo handler parses the src HTTP parameter and copies its contents into a fixed-size local buffer on the stack without validating input length.

An attacker who submits an oversized src value overwrites the saved return address on the stack. On MIPS-based embedded systems like the AC15, this control over program flow commonly leads to arbitrary code execution using return-oriented programming or shellcode staged in overflowing input. In lower-complexity attacks, the corruption crashes the httpd service and disrupts router management.

Exploitation requires network reachability to the router's HTTP interface. Devices with WAN-side management enabled are exposed to remote unauthenticated attacks. LAN-side exploitation is available to any device on the wireless or wired network.

Root Cause

The root cause is missing bounds checking on the src parameter before it is copied into a stack-allocated buffer. The handler uses an unsafe string copy operation that trusts attacker-controlled input length, violating [CWE-121].

Attack Vector

The attack vector is a crafted HTTP POST or GET request to /goform/GetParentControlInfo containing an oversized src parameter. See the GitHub IoT PoC Repository for the technical writeup describing the vulnerable code path and offset details.

Detection Methods for CVE-2025-25634

Indicators of Compromise

  • HTTP requests to /goform/GetParentControlInfo containing abnormally long src parameter values
  • Repeated httpd process crashes or unexpected reboots on Tenda AC15 devices
  • Unexpected outbound connections originating from the router management IP
  • Loss of web management interface availability without administrator action

Detection Strategies

  • Inspect HTTP traffic destined for router management interfaces for src parameters exceeding typical field lengths
  • Deploy IDS signatures matching oversized query strings targeting /goform/GetParentControlInfo
  • Correlate router syslog entries for httpd crashes with inbound HTTP traffic patterns

Monitoring Recommendations

  • Forward router syslog and management-plane logs to a centralized SIEM for anomaly detection
  • Alert on any inbound HTTP requests to router administrative endpoints from untrusted network segments
  • Track firmware versions across managed Tenda devices to identify unpatched inventory

How to Mitigate CVE-2025-25634

Immediate Actions Required

  • Disable WAN-side remote management on affected Tenda AC15 devices
  • Restrict LAN access to the router management interface using ACLs or VLAN segmentation
  • Monitor vendor channels for a firmware release addressing this issue and apply upon availability
  • Replace end-of-life or unpatched consumer routers in enterprise environments with supported hardware

Patch Information

No vendor advisory or patched firmware has been published for CVE-2025-25634 at the time of NVD listing. Administrators should track Tenda's official firmware download portal for updates superseding 15.03.05.19.

Workarounds

  • Block external access to TCP ports 80 and 443 on the router's WAN interface at the upstream firewall
  • Restrict access to /goform/GetParentControlInfo using an inline web application firewall where feasible
  • Disable the parental control feature if the vulnerable code path is only triggered through that module
  • Isolate affected routers on a management VLAN accessible only from trusted administrator workstations
bash
# Example upstream firewall rule to block WAN access to router HTTP management
iptables -A FORWARD -p tcp -d <router_wan_ip> --dport 80 -j DROP
iptables -A FORWARD -p tcp -d <router_wan_ip> --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.