CVE-2025-7914 Overview
CVE-2025-7914 is a buffer overflow vulnerability in the Tenda AC6 router running firmware version 15.03.06.50. The flaw resides in the setparentcontrolinfo function of the httpd component, which handles parental control configuration requests over the web management interface. Attackers can trigger the overflow remotely by sending crafted HTTP requests to the affected endpoint. The vulnerability is classified under [CWE-119], improper restriction of operations within the bounds of a memory buffer.
Critical Impact
Remote attackers with low-privilege access can corrupt memory in the httpd process, enabling code execution or service disruption on affected Tenda AC6 routers.
Affected Products
- Tenda AC6 router (hardware version 2.0)
- Tenda AC6 firmware version 15.03.06.50
- Devices exposing the httpd web management interface to untrusted networks
Discovery Timeline
- 2025-07-21 - CVE-2025-7914 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7914
Vulnerability Analysis
The vulnerability exists in the setparentcontrolinfo handler within the embedded httpd daemon on the Tenda AC6. The handler processes parental control parameters submitted through the router's web UI without enforcing proper bounds on user-supplied input. When attacker-controlled values exceed the size of the destination stack buffer, the overflow corrupts adjacent memory and can overwrite saved return addresses. A network-adjacent attacker authenticated to the management interface can reach the function and trigger the condition with a single crafted request.
A proof-of-concept describing the issue is published in the GitHub IoTVuln repository, and the issue is also tracked as VulDB #317029.
Root Cause
The setparentcontrolinfo function copies HTTP request parameters into fixed-size stack buffers using unsafe string operations. The handler does not validate input length before copying, allowing oversized values to overflow the buffer. Typical Tenda firmware patterns rely on strcpy or sprintf against attacker-controlled query or POST parameters, which the [CWE-119] classification confirms in this case.
Attack Vector
Exploitation requires network reachability to the router's HTTP management interface and low-privilege credentials. The attacker issues an HTTP request to the setparentcontrolinfo endpoint with an oversized parameter value. On embedded MIPS targets like the AC6, successful overflow can pivot execution to attacker-supplied shellcode or ROP chains, granting full control over the router. Refer to the linked proof-of-concept for the specific request structure that triggers the overflow.
Detection Methods for CVE-2025-7914
Indicators of Compromise
- HTTP POST or GET requests to the setparentcontrolinfo endpoint containing abnormally long parameter values
- Unexpected reboots or crashes of the Tenda AC6 httpd service following inbound management traffic
- New or unfamiliar DNS, firewall, or parental control configurations on the router
- Outbound connections from the router to attacker-controlled infrastructure
Detection Strategies
- Inspect router logs for repeated requests to parental control endpoints from a single source IP
- Deploy network IDS signatures that flag oversized parameter values in HTTP requests to embedded device management interfaces
- Monitor for HTTP requests to router management ports originating from internal client subnets that should not administer the device
- Baseline router configuration and alert on unauthorized changes to parental control settings
Monitoring Recommendations
- Restrict and log all access to the router's web management interface, blocking WAN-side exposure
- Capture and analyze inbound traffic to TCP/80 and TCP/443 on the router for malformed payloads
- Forward router syslog data to a centralized SIEM for correlation with endpoint telemetry
- Track firmware version reporting across managed network devices to identify unpatched AC6 units
How to Mitigate CVE-2025-7914
Immediate Actions Required
- Disable remote management of the Tenda AC6 from the WAN interface
- Restrict access to the LAN-side web management UI to a dedicated administrative VLAN or host
- Change default and shared administrator credentials to reduce the impact of the low-privilege precondition
- Isolate vulnerable AC6 devices from sensitive network segments until a patched firmware is available
Patch Information
At the time of publication, no vendor patch is referenced in the NVD record for CVE-2025-7914. Check the Tenda official website for firmware updates superseding 15.03.06.50, and apply them as soon as they become available. Until a fix is released, treat the device as exposed and apply network-level compensating controls.
Workarounds
- Place the router behind an upstream firewall that blocks unsolicited inbound HTTP/HTTPS traffic
- Disable the parental control feature if it is not in active use to reduce the attack surface
- Replace internet-exposed AC6 devices with currently supported hardware where feasible
- Segment IoT and consumer-grade routers from corporate networks to contain any compromise
# Example: block external access to the router management interface using iptables on an upstream gateway
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 -i <wan_iface> -j DROP
iptables -A FORWARD -p tcp -d <router_ip> --dport 443 -i <wan_iface> -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

