Skip to main content
CVE Vulnerability Database

CVE-2025-9523: Tenda AC1206 Buffer Overflow Vulnerability

CVE-2025-9523 is a stack-based buffer overflow flaw in Tenda AC1206 Firmware affecting the GetParentControlInfo function. Attackers can exploit this remotely via the mac parameter. This article covers technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2025-9523 Overview

CVE-2025-9523 is a stack-based buffer overflow [CWE-119] in the Tenda AC1206 wireless router running firmware version 15.03.06.23. The flaw resides in the GetParentControlInfo function exposed through the /goform/GetParentControlInfo endpoint. An attacker can manipulate the mac argument to overflow a fixed-size stack buffer. The vulnerability is reachable over the network and requires no authentication or user interaction. Public disclosure of the exploit details has occurred through VulDB and a third-party IoT CVE repository on GitHub.

Critical Impact

Unauthenticated remote attackers can corrupt stack memory on affected Tenda AC1206 routers, enabling denial of service and potential remote code execution on the device.

Affected Products

  • Tenda AC1206 router (hardware)
  • Tenda AC1206 firmware version 15.03.06.23
  • Deployments exposing the /goform/GetParentControlInfo endpoint to untrusted networks

Discovery Timeline

  • 2025-08-27 - CVE-2025-9523 published to the National Vulnerability Database
  • 2025-09-20 - Last updated in NVD database

Technical Details for CVE-2025-9523

Vulnerability Analysis

The vulnerability exists in the HTTP handler for parental control configuration on the Tenda AC1206 router. When the web management interface receives a request to /goform/GetParentControlInfo, the GetParentControlInfo function reads the user-supplied mac parameter and copies it into a fixed-size stack buffer without enforcing length checks. Supplying an oversized mac value overwrites adjacent stack data, including saved return addresses and frame pointers. Because the router exposes this endpoint over the LAN-facing web interface, an attacker on the same network segment can trigger the overflow with a single crafted HTTP request. According to the public exploit details, the attack vector is network-based and requires no credentials.

Root Cause

The root cause is improper restriction of operations within the bounds of a memory buffer [CWE-119]. The handler trusts the length of the mac query parameter and uses an unsafe string copy operation against a stack-allocated buffer. No prior validation enforces the expected MAC address format (12 hexadecimal characters with separators), so any oversized input bypasses bounds checks.

Attack Vector

Exploitation requires HTTP access to the router's web administration interface. An attacker sends a POST or GET request to /goform/GetParentControlInfo with a mac parameter containing a payload that exceeds the buffer length. The overflow corrupts the stack frame of the handler, leading to a crash and reboot at minimum. On MIPS-based Tenda firmware, similar overflows have historically been weaponized to achieve arbitrary code execution by overwriting the return address and pivoting into a ROP chain located in libc or other loaded modules. The EPSS score for this CVE is 0.726% with a percentile of 72.76, indicating elevated likelihood of exploitation relative to most CVEs.

No verified proof-of-concept code is reproduced here. Technical write-ups are available in the GitHub IoT CVE Documentation and the VulDB entry #321541.

Detection Methods for CVE-2025-9523

Indicators of Compromise

  • HTTP requests to /goform/GetParentControlInfo containing an unusually long mac parameter, particularly values exceeding 32 bytes or containing non-hexadecimal characters
  • Unexpected reboots or watchdog resets of the Tenda AC1206 router shortly after inbound LAN HTTP traffic
  • Outbound connections from the router to attacker-controlled infrastructure following a malformed administrative request

Detection Strategies

  • Inspect web server and router syslog output for malformed requests targeting /goform/GetParentControlInfo
  • Deploy network intrusion detection signatures that flag oversized values in the mac query parameter on Tenda /goform/ endpoints
  • Correlate router crash events with preceding HTTP administrative traffic from non-administrator hosts

Monitoring Recommendations

  • Forward router and gateway logs to a central SIEM and alert on repeated requests to /goform/ administrative endpoints from unexpected internal hosts
  • Monitor for new or unauthorized administrative sessions originating from the router's management VLAN
  • Track firmware version inventory across managed network devices to identify hosts still running 15.03.06.23

How to Mitigate CVE-2025-9523

Immediate Actions Required

  • Restrict access to the router's web management interface to a dedicated administrative network or single trusted host
  • Disable remote (WAN-side) management on all Tenda AC1206 devices until a fixed firmware version is available
  • Audit all Tenda AC1206 routers in the environment and confirm whether firmware 15.03.06.23 is in use

Patch Information

At the time of publication, no vendor advisory or patched firmware has been released by Tenda for CVE-2025-9523. Refer to the Tenda Official Website for firmware updates. Where a vendor patch is unavailable, organizations should consider replacing affected SOHO-class hardware with devices that receive supported security updates.

Workarounds

  • Segment Tenda AC1206 devices onto an isolated management VLAN and block HTTP/HTTPS access from general user networks
  • Place an upstream firewall ACL in front of the router to deny inbound traffic to /goform/GetParentControlInfo from untrusted hosts
  • Where parental control features are not used, avoid configuring the feature to reduce the attack surface exposed by the affected handler
bash
# Example iptables rule on an upstream Linux gateway to block external
# access to the vulnerable Tenda administrative endpoint
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 \
  -m string --string "/goform/GetParentControlInfo" --algo bm \
  -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.