Skip to main content
CVE Vulnerability Database

CVE-2025-9046: Tenda AC20 Buffer Overflow Vulnerability

CVE-2025-9046 is a stack-based buffer overflow in Tenda AC20 Firmware affecting the setMacFilterCfg function. Attackers can exploit this remotely to compromise devices. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-9046 Overview

CVE-2025-9046 is a stack-based buffer overflow vulnerability in the Tenda AC20 router running firmware version 16.03.08.12. The flaw resides in the sub_46A2AC function handling requests to the /goform/setMacFilterCfg endpoint. Attackers can trigger the overflow by manipulating the deviceList argument, corrupting stack memory on the device. The vulnerability is remotely exploitable over the network and a proof-of-concept exploit script has been publicly disclosed. The weakness is classified as [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer).

Critical Impact

Remote attackers with low privileges can corrupt stack memory on Tenda AC20 routers, leading to denial of service or potential arbitrary code execution on the affected device.

Affected Products

  • Tenda AC20 router (hardware)
  • Tenda AC20 firmware version 16.03.08.12
  • Devices exposing the /goform/setMacFilterCfg endpoint

Discovery Timeline

  • 2025-08-15 - CVE-2025-9046 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-9046

Vulnerability Analysis

The vulnerability exists in the sub_46A2AC function within the Tenda AC20 web management interface. This function processes MAC filter configuration requests sent to the /goform/setMacFilterCfg HTTP endpoint. The function reads the deviceList parameter from the incoming request without validating its length before copying the data into a fixed-size stack buffer.

When an attacker submits an oversized deviceList value, the copy operation writes past the buffer boundary. This corrupts adjacent stack memory, including saved return addresses and frame pointers. The corruption allows control-flow hijacking on the MIPS-based device firmware.

The attack is network-reachable and requires only low privileges, meaning an authenticated user on the LAN side or an attacker who has obtained valid credentials can trigger exploitation. A public proof-of-concept Python exploit script has been published, lowering the bar for opportunistic attacks against exposed devices.

Root Cause

The root cause is missing bounds checking when copying the user-controlled deviceList parameter into a stack-allocated buffer inside sub_46A2AC. The firmware uses unsafe string handling routines without validating input length against the destination buffer size, a classic [CWE-119] memory safety failure common in embedded router firmware.

Attack Vector

An attacker sends a crafted HTTP POST request to /goform/setMacFilterCfg with an oversized deviceList parameter. The malformed payload overflows the stack buffer in sub_46A2AC, overwriting saved return addresses. On success, the device crashes, reboots, or executes attacker-controlled code with the privileges of the web management process — typically root on consumer routers. Technical details and a working PoC are available in the GitHub PoC Exploit Script and the VulDB entry #320267.

Detection Methods for CVE-2025-9046

Indicators of Compromise

  • HTTP POST requests to /goform/setMacFilterCfg containing abnormally long deviceList parameter values
  • Unexpected reboots, crashes, or restarts of the httpd process on Tenda AC20 routers
  • Outbound connections from the router to unknown hosts following web management requests
  • Web management interface returning malformed responses or timing out after specific requests

Detection Strategies

  • Inspect HTTP traffic to router management interfaces for setMacFilterCfg requests with deviceList payloads exceeding typical MAC address list lengths
  • Deploy network intrusion detection signatures matching the published PoC payload patterns targeting /goform/setMacFilterCfg
  • Monitor router syslog output for segmentation faults or watchdog-triggered reboots correlated with web requests

Monitoring Recommendations

  • Log all administrative access attempts to the Tenda AC20 web interface and alert on requests from untrusted source IPs
  • Track router uptime and process restart events to identify exploitation attempts that crash the device
  • Restrict and audit access to the LAN-side management interface, blocking WAN-side exposure entirely

How to Mitigate CVE-2025-9046

Immediate Actions Required

  • Disable remote (WAN-side) web management on all Tenda AC20 devices and restrict the admin interface to trusted internal hosts
  • Change default administrator credentials and rotate any shared passwords that may be known to attackers
  • Segment vulnerable AC20 routers away from sensitive network assets until a vendor patch is available
  • Monitor the Tenda Official Site for firmware updates addressing this vulnerability

Patch Information

As of the last NVD update on 2026-06-17, no vendor security advisory or patched firmware has been published for CVE-2025-9046. Administrators should consult the VulDB entry #320267 and the Tenda Official Site for forthcoming firmware releases. Given the lack of a vendor fix and the public availability of an exploit script, replacement with a supported router is recommended for high-risk environments.

Workarounds

  • Block external access to TCP port 80/443 on the router's WAN interface using upstream firewall rules
  • Restrict LAN-side access to the /goform/setMacFilterCfg endpoint through ACLs where the router supports them
  • Place the affected router behind a network segmentation boundary that limits which clients can reach the management interface
  • Consider replacing the Tenda AC20 with a device that receives active security maintenance
bash
# Example upstream firewall rule to block WAN-side access to router management
iptables -A FORWARD -p tcp -d <router_wan_ip> --dport 80 -j DROP
iptables -A FORWARD -p tcp -d <router_wan_ip> --dport 443 -j DROP

# Restrict LAN management access to a specific admin host
iptables -A FORWARD -p tcp -s <admin_host_ip> -d <router_lan_ip> --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -d <router_lan_ip> --dport 80 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.