CVE-2025-5852 Overview
CVE-2025-5852 is a buffer overflow vulnerability in the Tenda AC6 wireless router running firmware version 15.03.05.16. The flaw resides in the formSetPPTPUserList function handling requests to the /goform/setPptpUserList endpoint. Manipulation of the list argument triggers memory corruption in the router's web management service. The vulnerability is remotely exploitable, and exploit details have been disclosed publicly. The issue is categorized under [CWE-119] (improper restriction of operations within the bounds of a memory buffer).
Critical Impact
Remote attackers with low privileges can corrupt memory on affected Tenda AC6 devices through crafted HTTP requests, potentially achieving arbitrary code execution on the router.
Affected Products
- Tenda AC6 hardware revision 1.0
- Tenda AC6 firmware version 15.03.05.16
- /goform/setPptpUserList web management endpoint
Discovery Timeline
- 2025-06-09 - CVE-2025-5852 published to NVD
- 2025-06-09 - Last updated in NVD database
Technical Details for CVE-2025-5852
Vulnerability Analysis
The Tenda AC6 router exposes a web administration interface that processes PPTP (Point-to-Point Tunneling Protocol) user list configuration through the /goform/setPptpUserList URI. The handler function formSetPPTPUserList parses the list parameter without validating its length before copying it into a fixed-size stack buffer. An attacker submitting an oversized list value overflows the buffer and overwrites adjacent stack data, including the saved return address.
Successful exploitation grants the attacker control over the device's HTTP daemon, which typically runs with root privileges on Tenda consumer routers. This enables persistent compromise, traffic interception, and pivot access into the LAN. The EPSS probability for this CVE is 0.621%.
Root Cause
The root cause is the absence of bounds checking on user-supplied input before invoking an unsafe memory copy. Tenda's web stack reuses a common pattern across formSet* handlers in which cgi-bin parameters are read directly from POST bodies into fixed buffers using functions such as strcpy or sprintf. This pattern has produced numerous prior buffer overflows in AC6 firmware.
Attack Vector
The attack is launched over the network against the router's HTTP management interface. The attacker authenticates with low-privilege credentials, then sends a crafted POST request to /goform/setPptpUserList containing an oversized list parameter. Devices exposing the web interface to the WAN side are reachable from the internet, expanding the attack surface beyond the local network.
No verified proof-of-concept code is published to a tracked exploit repository, though the vulnerability submitter documented exploitation details in a public write-up. Refer to the VulDB entry 311598 and the technical write-up for analysis details.
Detection Methods for CVE-2025-5852
Indicators of Compromise
- HTTP POST requests to /goform/setPptpUserList containing abnormally long list parameter values
- Repeated crashes or reboots of the httpd process on Tenda AC6 devices
- Unexpected outbound connections from the router to attacker-controlled infrastructure
- New or modified PPTP user entries that do not match administrator activity
Detection Strategies
- Inspect web server logs on the router and any upstream reverse proxy for POST requests to /goform/setPptpUserList with payloads exceeding expected length
- Deploy IDS signatures matching oversized list= parameters destined for Tenda management ports (typically TCP/80 and TCP/443)
- Correlate router crash events with preceding inbound HTTP traffic to the management interface
Monitoring Recommendations
- Forward router syslog output to a centralized log platform for retention and correlation
- Alert on any change to administrative configuration outside of approved maintenance windows
- Monitor for unauthorized access attempts against the AC6 web interface from external IP ranges
How to Mitigate CVE-2025-5852
Immediate Actions Required
- Disable WAN-side access to the router's web management interface
- Restrict LAN-side management access to a dedicated administrative VLAN or trusted host
- Rotate administrator credentials on all Tenda AC6 devices and disable default accounts
- Disable the PPTP server feature if not required for operational use
Patch Information
No vendor patch is referenced in the NVD record at the time of publication. Tenda has not posted an advisory for this CVE on its official website. Organizations operating affected hardware should consult Tenda support directly and consider device replacement if the AC6 model has reached end-of-life status.
Workarounds
- Place affected routers behind a network firewall that filters traffic to TCP/80 and TCP/443 on the device's management address
- Replace end-of-life Tenda AC6 units with currently supported router hardware that receives security updates
- Use a separate VPN gateway instead of the router's built-in PPTP service to avoid exposing the vulnerable handler
# Example: restrict router web management access using upstream firewall rules
iptables -A FORWARD -p tcp -d 192.168.0.1 --dport 80 \
-m iprange ! --src-range 192.168.0.10-192.168.0.20 -j DROP
iptables -A FORWARD -p tcp -d 192.168.0.1 --dport 443 \
-m iprange ! --src-range 192.168.0.10-192.168.0.20 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
