CVE-2025-3161 Overview
CVE-2025-3161 is a stack-based buffer overflow in the Tenda AC10 router running firmware version 16.03.10.13. The flaw resides in the ShutdownSetAdd function handling requests to the /goform/ShutdownSetAdd endpoint. Manipulating the list argument corrupts the stack, allowing remote attackers to trigger memory corruption. Public disclosure of the exploit increases the likelihood of opportunistic attacks against exposed devices.
Critical Impact
Remote attackers can trigger a stack-based buffer overflow in the Tenda AC10 web management interface, potentially leading to arbitrary code execution on the router.
Affected Products
- Tenda AC10 router (hardware)
- Tenda AC10 firmware version 16.03.10.13
- Devices exposing the /goform/ShutdownSetAdd web interface
Discovery Timeline
- 2025-04-03 - CVE-2025-3161 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-3161
Vulnerability Analysis
The vulnerability affects the ShutdownSetAdd handler exposed through the /goform/ShutdownSetAdd HTTP endpoint on the Tenda AC10 router. The handler copies attacker-controlled input from the list HTTP parameter into a fixed-size stack buffer without bounds validation. Sending an oversized value overflows the buffer and corrupts adjacent stack memory, including the saved return address. The weakness is classified under [CWE-119] (improper restriction of operations within a memory buffer) and [CWE-787] (out-of-bounds write).
Exploitation requires network access to the router's web interface and low-privilege authentication. Successful exploitation compromises confidentiality, integrity, and availability of the device. Public exploit documentation is available in the GitHub CVE Documentation and VulDB #303107 entries.
Root Cause
The root cause is the absence of length validation before copying the list parameter into a fixed-size stack buffer inside ShutdownSetAdd. The function trusts client-supplied input, allowing attackers to write beyond the buffer boundary. This is a common pattern in embedded router firmware where strcpy-style operations are used without prior length checks.
Attack Vector
The attack is delivered over the network to the router's HTTP management interface. An authenticated attacker submits a crafted POST request to /goform/ShutdownSetAdd containing an oversized list argument. The overflow overwrites stack metadata, enabling denial of service and potentially remote code execution on the MIPS-based device. Refer to the GitHub CVE RCE Proof Section for verified proof-of-concept details.
Detection Methods for CVE-2025-3161
Indicators of Compromise
- HTTP POST requests to /goform/ShutdownSetAdd containing abnormally long list parameter values
- Unexpected reboots or web management service crashes on Tenda AC10 devices
- Outbound connections from the router to unfamiliar external hosts following administrative activity
- New or altered firewall rules, DNS settings, or administrative accounts on the router
Detection Strategies
- Inspect web server and router logs for requests targeting /goform/ShutdownSetAdd with parameter lengths exceeding typical values
- Deploy network intrusion detection signatures that flag oversized POST bodies to Tenda /goform/ endpoints
- Monitor router availability and management interface uptime for repeated failures indicating overflow attempts
Monitoring Recommendations
- Log all administrative traffic to the router's management interface and forward to a central log platform
- Alert on router configuration changes, firmware modifications, and new session origins from external IP ranges
- Track DNS query patterns from the router for signs of downstream client redirection or C2 activity
How to Mitigate CVE-2025-3161
Immediate Actions Required
- Restrict access to the router's web management interface to trusted internal networks only
- Disable remote WAN-side administration on the Tenda AC10 if not required
- Change default and shared administrator credentials to limit low-privilege exploitation paths
- Isolate the router on a dedicated management VLAN and monitor traffic to /goform/ endpoints
Patch Information
No vendor patch has been referenced in the CVE record at the time of publication. Consult the Tenda Official Website for firmware updates addressing 16.03.10.13. If no fix is available, consider replacing affected units in high-risk environments.
Workarounds
- Block external access to TCP ports serving the router's HTTP administration interface at the perimeter firewall
- Enforce ACLs limiting management access to a small set of administrative source IP addresses
- Segment vulnerable devices from sensitive network zones to contain post-exploitation movement
- Monitor for and drop HTTP requests to /goform/ShutdownSetAdd from untrusted sources using a reverse proxy or IPS
# Example iptables rule restricting router admin access to a management subnet
iptables -A INPUT -p tcp --dport 80 -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

