Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-5847

CVE-2025-5847: Tenda AC9 Firmware Buffer Overflow Flaw

CVE-2025-5847 is a critical stack-based buffer overflow vulnerability in Tenda AC9 Firmware that allows remote attackers to exploit the formSetSafeWanWebMan function. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-5847 Overview

CVE-2025-5847 is a stack-based buffer overflow [CWE-121, CWE-787] in the Tenda AC9 router running firmware version 15.03.02.13. The flaw resides in the formSetSafeWanWebMan function, which handles HTTP POST requests sent to /goform/SetRemoteWebCfg. An attacker can trigger the overflow by manipulating the remoteIp argument, corrupting adjacent stack memory. The attack is remotely exploitable across the network, and the exploit details have been disclosed publicly. Successful exploitation can lead to arbitrary code execution on the device or a denial-of-service condition affecting the router.

Critical Impact

Remote attackers with low-level privileges can corrupt stack memory through a crafted remoteIp parameter, potentially achieving code execution on affected Tenda AC9 routers.

Affected Products

  • Tenda AC9 router (hardware version 1.0)
  • Tenda AC9 firmware version 15.03.02.13
  • HTTP POST request handler component (/goform/SetRemoteWebCfg)

Discovery Timeline

  • 2025-06-08 - CVE-2025-5847 published to NVD
  • 2025-06-09 - Last updated in NVD database

Technical Details for CVE-2025-5847

Vulnerability Analysis

The vulnerability lives in the formSetSafeWanWebMan function, a request handler in the web management interface of the Tenda AC9 router. When a client sends an HTTP POST request to /goform/SetRemoteWebCfg, the handler reads the remoteIp parameter from the request body. The function copies this user-controlled value into a fixed-size stack buffer without validating its length. An oversized remoteIp value overwrites the saved return address and adjacent stack frames. This corruption enables an attacker to redirect control flow and execute attacker-supplied instructions within the context of the web server process, which typically runs with elevated privileges on embedded devices.

Root Cause

The root cause is missing input length validation on the remoteIp argument before a memory copy operation into a stack-allocated buffer. The function relies on an unbounded string copy, classifying the issue as both an improper restriction of operations within memory bounds [CWE-119] and an out-of-bounds write [CWE-787]. Tenda firmware images for the AC9 line frequently use unsafe C string functions such as strcpy and sprintf in form handlers, which is consistent with the described behavior.

Attack Vector

Exploitation requires network reachability to the device's web management interface and an authenticated session at low privilege. Once authenticated, the attacker sends a single HTTP POST request to /goform/SetRemoteWebCfg with an oversized remoteIp value. No user interaction is required. The vulnerability mechanism is detailed in the public Notion writeup on Tenda AC9 formSetSafeWanWebMan and indexed in VulDB entry 311593. No verified proof-of-concept code is reproduced here.

Detection Methods for CVE-2025-5847

Indicators of Compromise

  • HTTP POST requests to /goform/SetRemoteWebCfg containing unusually long remoteIp parameter values.
  • Unexpected reboots, crashes, or watchdog resets of the AC9 router web service following inbound HTTP traffic.
  • New or unexplained outbound connections originating from the router's WAN interface after suspicious POST traffic.
  • Configuration changes to remote management settings that were not initiated by an administrator.

Detection Strategies

  • Inspect HTTP request bodies destined for /goform/SetRemoteWebCfg and flag remoteIp values exceeding expected IPv4 string length (15 characters).
  • Deploy network IDS rules that match POST traffic to goform endpoints on Tenda devices with anomalous payload sizes.
  • Correlate router crash or reboot events with preceding HTTP administrative traffic in centralized logging.

Monitoring Recommendations

  • Forward router syslog and HTTP access logs to a centralized SIEM for retention and correlation.
  • Monitor for repeated authentication attempts against the router's web interface from external addresses.
  • Alert on any HTTP request to /goform/ endpoints originating from non-management network segments.

How to Mitigate CVE-2025-5847

Immediate Actions Required

  • Disable remote web management on affected Tenda AC9 devices until a vendor patch is verified and applied.
  • Restrict access to the router's administrative interface to a dedicated management VLAN or trusted IP allowlist.
  • Rotate all router administrator credentials, since the attack vector requires low-level authentication.
  • Audit router configurations for unauthorized changes to the remote management settings.

Patch Information

At the time of publication, no vendor advisory or firmware update for CVE-2025-5847 is referenced in the NVD entry. Monitor the Tenda official website for firmware releases superseding 15.03.02.13. Until a fixed firmware is published, treat the device as unpatched and apply compensating controls.

Workarounds

  • Block inbound HTTP and HTTPS traffic to the router's WAN interface at the upstream firewall.
  • Place the router behind a reverse proxy or network segment that enforces strict request size limits on /goform/ endpoints.
  • Replace end-of-life or unsupported Tenda AC9 hardware with devices that receive active security maintenance.
  • Disable the SetRemoteWebCfg functionality through the administrative UI if the feature is not in use.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne