Skip to main content
CVE Vulnerability Database

CVE-2025-5853: Tenda AC6 Buffer Overflow Vulnerability

CVE-2025-5853 is a critical stack-based buffer overflow in Tenda AC6 Firmware affecting formSetSafeWanWebMan function. Attackers can exploit this remotely to compromise devices. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-5853 Overview

CVE-2025-5853 is a stack-based buffer overflow vulnerability in the Tenda AC6 router running firmware version 15.03.05.16. The flaw resides in the formSetSafeWanWebMan function handling requests to /goform/SetRemoteWebCfg. An attacker can manipulate the remoteIp argument to overflow a fixed-size stack buffer, corrupting adjacent memory and program flow. The attack can be launched remotely over the network and requires only low-level privileges. The exploit details have been disclosed publicly, increasing the risk of active targeting against exposed devices.

Critical Impact

Remote attackers can corrupt stack memory on Tenda AC6 routers, enabling potential code execution, device takeover, or denial of service against the network gateway.

Affected Products

  • Tenda AC6 router (hardware revision 1.0)
  • Tenda AC6 firmware version 15.03.05.16
  • Web management interface endpoint /goform/SetRemoteWebCfg

Discovery Timeline

  • 2025-06-09 - CVE-2025-5853 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-5853

Vulnerability Analysis

The vulnerability is a stack-based buffer overflow (CWE-121, related to CWE-119 and CWE-787) in the formSetSafeWanWebMan handler within the Tenda AC6 httpd binary. The handler processes HTTP POST data submitted to /goform/SetRemoteWebCfg, which controls the remote web management configuration of the router. The remoteIp parameter is copied into a fixed-size stack buffer without enforcing length validation. Supplying an oversized value overruns the buffer and overwrites saved registers and the return address on the call stack. The Exploit Prediction Scoring System places this vulnerability in a high percentile relative to other published CVEs, reflecting the public availability of exploitation details.

Root Cause

The root cause is missing bounds checking on attacker-controlled input. The firmware uses unsafe string copy routines such as strcpy or sprintf against the remoteIp parameter rather than length-restricted equivalents. No upper bound is enforced before the copy executes, so user-supplied data of arbitrary length is written directly into the stack frame of formSetSafeWanWebMan.

Attack Vector

An attacker authenticated to the router's web interface sends a crafted HTTP POST request to /goform/SetRemoteWebCfg containing an overlong remoteIp value. The malformed value overflows the stack buffer used by formSetSafeWanWebMan. By controlling the overwritten return address and surrounding stack data, an attacker can redirect execution into shellcode or perform return-oriented programming against the MIPS firmware. At minimum, the overflow crashes the httpd service. When the management interface is exposed to the WAN, the attack surface extends to any internet-based attacker who can reach the device. Refer to the Notion Analysis of Tenda AC6 and VulDB entry 311599 for additional technical context.

Detection Methods for CVE-2025-5853

Indicators of Compromise

  • HTTP POST requests to /goform/SetRemoteWebCfg containing abnormally long remoteIp parameter values, typically exceeding 64 bytes.
  • Unexpected restarts or crashes of the router's httpd process and loss of web management availability.
  • Outbound connections from the router to unfamiliar hosts following inbound requests to the remote web configuration endpoint.

Detection Strategies

  • Inspect web server access logs and network captures for requests targeting /goform/SetRemoteWebCfg from untrusted sources.
  • Apply intrusion detection signatures that flag HTTP parameters with oversized values matching the remoteIp field pattern.
  • Correlate router crash telemetry with preceding management interface requests to identify exploitation attempts.

Monitoring Recommendations

  • Monitor WAN-side exposure of the router management interface and alert on any external access to /goform/ endpoints.
  • Track configuration changes related to remote web management, including unexpected enablement of WAN-side administration.
  • Baseline expected httpd uptime on the device and alert on repeated service restarts indicative of crash-and-retry exploitation.

How to Mitigate CVE-2025-5853

Immediate Actions Required

  • Disable remote web management on the WAN interface until a vendor patch is verified and applied.
  • Restrict LAN-side access to the router admin interface to a dedicated management VLAN or specific administrative hosts.
  • Rotate the router administrator password and audit accounts that may have been used to reach the vulnerable endpoint.
  • Replace internet-exposed Tenda AC6 units with patched or alternative hardware where business risk justifies it.

Patch Information

No vendor advisory or fixed firmware version is currently listed in the NVD reference set. Consult the Tenda Official Website for firmware updates addressing the formSetSafeWanWebMan handler. Until a fixed image is published, treat the device as unpatched and apply compensating network controls.

Workarounds

  • Block inbound TCP traffic to the router's HTTP/HTTPS management ports at the upstream firewall or ISP-provided equipment.
  • Place the router behind a segmentation device that filters HTTP requests to /goform/SetRemoteWebCfg from untrusted networks.
  • Disable the Remote Web Management feature in the router configuration to remove the vulnerable code path from external reachability.
bash
# Example: block external access to router web management on an upstream Linux gateway
iptables -A FORWARD -p tcp -d <router_wan_ip> --dport 80 -j DROP
iptables -A FORWARD -p tcp -d <router_wan_ip> --dport 443 -j DROP
iptables -A FORWARD -p tcp -d <router_wan_ip> --dport 8080 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.