Skip to main content
CVE Vulnerability Database

CVE-2025-6887: Tenda AC5 Buffer Overflow Vulnerability

CVE-2025-6887 is a critical stack-based buffer overflow in Tenda AC5 Firmware affecting /goform/SetSysTimeCfg. Attackers can exploit this remotely to compromise devices. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-6887 Overview

CVE-2025-6887 is a stack-based buffer overflow vulnerability in the Tenda AC5 wireless router running firmware version 15.03.06.47. The flaw resides in the /goform/SetSysTimeCfg endpoint, where the time and timeZone request parameters are copied to fixed-size stack buffers without proper bounds checking. Remote attackers with low-privileged access can send a crafted HTTP request to corrupt the stack and influence execution flow. The exploit details have been publicly disclosed, increasing the likelihood of opportunistic attacks against exposed devices. The weakness is classified under [CWE-119]: Improper Restriction of Operations within the Bounds of a Memory Buffer.

Critical Impact

Remote attackers can corrupt router memory through the SetSysTimeCfg handler, leading to denial of service or potential arbitrary code execution on affected Tenda AC5 devices.

Affected Products

  • Tenda AC5 router (hardware version 1.0)
  • Tenda AC5 firmware version 15.03.06.47
  • Web management interface exposing /goform/SetSysTimeCfg

Discovery Timeline

  • 2025-06-30 - CVE-2025-6887 published to NVD
  • 2025-07-01 - Last updated in NVD database

Technical Details for CVE-2025-6887

Vulnerability Analysis

The vulnerability exists in the fromSetSysTime handler invoked when clients submit requests to /goform/SetSysTimeCfg on the router's web management interface. The handler reads the time and timeZone query parameters from the HTTP request and copies their contents into stack-allocated buffers using unsafe string operations. Because the implementation does not validate the length of attacker-controlled input, oversized values overflow the destination buffers and overwrite adjacent stack data, including saved return addresses. Successful exploitation can crash the httpd process or redirect execution to attacker-controlled memory. The router exposes this interface over the local network and, in misconfigured deployments, over the internet. Authentication is required at a low privilege level, which still aligns with many home and small-office deployments where credentials are weak or default.

Root Cause

The root cause is missing length validation on the time and timeZone parameters before they are copied into fixed-size stack buffers. Tenda's MIPS-based firmware uses unsafe copy routines without bounds checks, allowing an attacker to write beyond the buffer boundary. See the Notion Analysis on SetSysTime Time and Notion Analysis on SetSysTime TimeZone for parameter-level disassembly.

Attack Vector

An authenticated attacker on the same network as the router sends a crafted HTTP POST to /goform/SetSysTimeCfg containing an oversized time or timeZone argument. The malformed value overflows the stack buffer inside fromSetSysTime, overwriting the saved return address. Depending on payload construction, the attack results in a denial of service or, with reliable gadget chains on the MIPS architecture, arbitrary code execution as the web server process. Additional context is available at VulDB #314366.

Detection Methods for CVE-2025-6887

Indicators of Compromise

  • HTTP POST requests to /goform/SetSysTimeCfg containing unusually long time or timeZone parameter values
  • Repeated httpd process crashes or unexpected router reboots logged in system or syslog output
  • Outbound connections from the router to unfamiliar hosts following administrative requests
  • Configuration changes to NTP or time settings that were not initiated by an administrator

Detection Strategies

  • Inspect HTTP request bodies destined for /goform/SetSysTimeCfg and alert when parameter values exceed expected lengths for time strings
  • Deploy network intrusion detection signatures that match oversized time= or timeZone= patterns to the Tenda management interface
  • Correlate router crash events with preceding HTTP traffic to the goform endpoints to identify exploitation attempts

Monitoring Recommendations

  • Restrict and log access to the router's web management interface from non-administrative hosts
  • Forward router syslog data to a centralized log platform for anomaly review
  • Track external scans probing /goform/SetSysTimeCfg against perimeter devices to surface mass-exploitation campaigns

How to Mitigate CVE-2025-6887

Immediate Actions Required

  • Disable remote (WAN-side) administration on Tenda AC5 devices to limit exposure to local attackers only
  • Change default and weak administrative credentials to reduce the chance of an attacker meeting the low-privilege precondition
  • Segment vulnerable routers away from sensitive assets until a firmware update is available
  • Monitor the Tenda Official Website for firmware updates addressing the SetSysTimeCfg handler

Patch Information

No vendor patch has been published in the referenced advisories at the time of NVD publication. Administrators should track vendor announcements at VulDB #314366 CI and the Tenda Official Website for firmware updates that introduce length validation on the time and timeZone parameters.

Workarounds

  • Place the router behind an upstream firewall and block inbound HTTP/HTTPS traffic to the management interface from untrusted networks
  • Restrict management access by source IP using LAN ACLs where the device firmware supports them
  • Where feasible, replace end-of-support Tenda AC5 hardware with actively maintained equipment that receives security updates
bash
# Example upstream firewall rule to block external access to the router's web UI
# Replace 192.0.2.10 with the router's LAN/management IP
iptables -A FORWARD -p tcp -d 192.0.2.10 --dport 80 -i wan0 -j DROP
iptables -A FORWARD -p tcp -d 192.0.2.10 --dport 443 -i wan0 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.