CVE-2025-4810 Overview
CVE-2025-4810 is a stack-based buffer overflow vulnerability in the Tenda AC7 wireless router running firmware version 15.03.06.44. The flaw resides in the formSetRebootTimer function handling requests to /goform/SetRebootTimer. Attackers can manipulate the reboot_time argument to overflow a stack buffer and corrupt adjacent memory. The vulnerability is reachable over the network and the exploit details have been publicly disclosed. Successful exploitation can compromise confidentiality, integrity, and availability of the affected device, giving attackers a foothold inside the local network perimeter.
Critical Impact
Remote attackers with low privileges can trigger a stack-based buffer overflow in the Tenda AC7 web management interface, enabling potential code execution or denial of service on the router.
Affected Products
- Tenda AC7 hardware router
- Tenda AC7 firmware version 15.03.06.44
- Devices exposing the /goform/SetRebootTimer endpoint on the LAN or WAN management interface
Discovery Timeline
- 2025-05-16 - CVE-2025-4810 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-4810
Vulnerability Analysis
The vulnerability lives inside the formSetRebootTimer handler in the Tenda AC7 web management binary (httpd). This handler processes HTTP requests submitted to the /goform/SetRebootTimer endpoint, which is used to configure the router's scheduled reboot feature. The handler reads the reboot_time parameter directly from the request body and copies it into a fixed-size buffer on the stack without validating its length. Supplying an overlong reboot_time value overwrites saved registers and the return address on the stack. This matches the behavior described by [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer) and [CWE-787] (Out-of-bounds Write).
Root Cause
The root cause is missing input length validation before the router copies attacker-controlled data into a stack buffer. The formSetRebootTimer function trusts the size of the reboot_time parameter and uses an unsafe string copy routine. Because the affected binary runs on a MIPS/ARM SoC without modern exploit mitigations such as stack canaries or full ASLR, corrupting the return address translates directly into control of program flow.
Attack Vector
An attacker sends a crafted HTTP POST request to /goform/SetRebootTimer on the router's management interface. The request must include a long reboot_time string that exceeds the internal buffer size. The attacker requires network reachability to the management interface and low-privilege authentication on the web UI. Where the device exposes management to the WAN or where an attacker already sits on the LAN, exploitation requires no user interaction. Because the exploit has been publicly disclosed, opportunistic scanning against internet-exposed Tenda AC7 devices should be expected.
No verified proof-of-concept code is available in the enriched dataset. Refer to the Notion Security Overview and VulDB #309265 for technical write-ups.
Detection Methods for CVE-2025-4810
Indicators of Compromise
- HTTP POST requests to /goform/SetRebootTimer containing abnormally long reboot_time parameter values.
- Unexpected reboots, httpd process crashes, or watchdog-triggered restarts on Tenda AC7 devices.
- Outbound connections from the router to unknown hosts following inbound traffic to the management interface.
Detection Strategies
- Inspect network traffic destined for Tenda AC7 management interfaces for oversized parameter values in /goform/* endpoints.
- Correlate router syslog messages showing repeated httpd restarts with prior inbound HTTP activity from untrusted sources.
- Deploy IDS/IPS signatures that flag POST requests to SetRebootTimer where the request body exceeds a reasonable length threshold.
Monitoring Recommendations
- Forward router syslog and management interface access logs to a centralized log platform for retention and correlation.
- Alert on any external source attempting to reach the router's administrative HTTP interface.
- Baseline expected administrative traffic patterns and flag deviations, especially bursts of /goform/ requests.
How to Mitigate CVE-2025-4810
Immediate Actions Required
- Restrict access to the router's web management interface to trusted LAN hosts and disable WAN-side administration.
- Change default administrator credentials and enforce strong passwords to reduce the pool of low-privilege attackers.
- Segment the router's management VLAN away from untrusted user and IoT networks.
- Monitor Tenda's advisories and apply firmware updates for the AC7 as soon as a fixed version is released.
Patch Information
At the time of publication, no vendor patch has been referenced in the enriched CVE data. Check the Tenda Official Website for firmware updates addressing the formSetRebootTimer handler in AC7 firmware version 15.03.06.44. Where a supported successor firmware or replacement device is available, plan migration for end-of-life SOHO hardware that no longer receives security updates.
Workarounds
- Disable remote (WAN) management on the router and block inbound TCP/80 and TCP/443 to the device from the internet.
- Apply firewall ACLs upstream of the router to restrict which internal hosts can reach the administrative interface.
- Replace the affected Tenda AC7 with a supported router model if a vendor patch is not made available in a timely manner.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

