CVE-2025-9523 Overview
CVE-2025-9523 is a stack-based buffer overflow [CWE-119] in the Tenda AC1206 wireless router running firmware version 15.03.06.23. The flaw resides in the GetParentControlInfo function exposed through the /goform/GetParentControlInfo endpoint. An attacker can manipulate the mac argument to overflow a fixed-size stack buffer. The vulnerability is reachable over the network and requires no authentication or user interaction. Public disclosure of the exploit details has occurred through VulDB and a third-party IoT CVE repository on GitHub.
Critical Impact
Unauthenticated remote attackers can corrupt stack memory on affected Tenda AC1206 routers, enabling denial of service and potential remote code execution on the device.
Affected Products
- Tenda AC1206 router (hardware)
- Tenda AC1206 firmware version 15.03.06.23
- Deployments exposing the /goform/GetParentControlInfo endpoint to untrusted networks
Discovery Timeline
- 2025-08-27 - CVE-2025-9523 published to the National Vulnerability Database
- 2025-09-20 - Last updated in NVD database
Technical Details for CVE-2025-9523
Vulnerability Analysis
The vulnerability exists in the HTTP handler for parental control configuration on the Tenda AC1206 router. When the web management interface receives a request to /goform/GetParentControlInfo, the GetParentControlInfo function reads the user-supplied mac parameter and copies it into a fixed-size stack buffer without enforcing length checks. Supplying an oversized mac value overwrites adjacent stack data, including saved return addresses and frame pointers. Because the router exposes this endpoint over the LAN-facing web interface, an attacker on the same network segment can trigger the overflow with a single crafted HTTP request. According to the public exploit details, the attack vector is network-based and requires no credentials.
Root Cause
The root cause is improper restriction of operations within the bounds of a memory buffer [CWE-119]. The handler trusts the length of the mac query parameter and uses an unsafe string copy operation against a stack-allocated buffer. No prior validation enforces the expected MAC address format (12 hexadecimal characters with separators), so any oversized input bypasses bounds checks.
Attack Vector
Exploitation requires HTTP access to the router's web administration interface. An attacker sends a POST or GET request to /goform/GetParentControlInfo with a mac parameter containing a payload that exceeds the buffer length. The overflow corrupts the stack frame of the handler, leading to a crash and reboot at minimum. On MIPS-based Tenda firmware, similar overflows have historically been weaponized to achieve arbitrary code execution by overwriting the return address and pivoting into a ROP chain located in libc or other loaded modules. The EPSS score for this CVE is 0.726% with a percentile of 72.76, indicating elevated likelihood of exploitation relative to most CVEs.
No verified proof-of-concept code is reproduced here. Technical write-ups are available in the GitHub IoT CVE Documentation and the VulDB entry #321541.
Detection Methods for CVE-2025-9523
Indicators of Compromise
- HTTP requests to /goform/GetParentControlInfo containing an unusually long mac parameter, particularly values exceeding 32 bytes or containing non-hexadecimal characters
- Unexpected reboots or watchdog resets of the Tenda AC1206 router shortly after inbound LAN HTTP traffic
- Outbound connections from the router to attacker-controlled infrastructure following a malformed administrative request
Detection Strategies
- Inspect web server and router syslog output for malformed requests targeting /goform/GetParentControlInfo
- Deploy network intrusion detection signatures that flag oversized values in the mac query parameter on Tenda /goform/ endpoints
- Correlate router crash events with preceding HTTP administrative traffic from non-administrator hosts
Monitoring Recommendations
- Forward router and gateway logs to a central SIEM and alert on repeated requests to /goform/ administrative endpoints from unexpected internal hosts
- Monitor for new or unauthorized administrative sessions originating from the router's management VLAN
- Track firmware version inventory across managed network devices to identify hosts still running 15.03.06.23
How to Mitigate CVE-2025-9523
Immediate Actions Required
- Restrict access to the router's web management interface to a dedicated administrative network or single trusted host
- Disable remote (WAN-side) management on all Tenda AC1206 devices until a fixed firmware version is available
- Audit all Tenda AC1206 routers in the environment and confirm whether firmware 15.03.06.23 is in use
Patch Information
At the time of publication, no vendor advisory or patched firmware has been released by Tenda for CVE-2025-9523. Refer to the Tenda Official Website for firmware updates. Where a vendor patch is unavailable, organizations should consider replacing affected SOHO-class hardware with devices that receive supported security updates.
Workarounds
- Segment Tenda AC1206 devices onto an isolated management VLAN and block HTTP/HTTPS access from general user networks
- Place an upstream firewall ACL in front of the router to deny inbound traffic to /goform/GetParentControlInfo from untrusted hosts
- Where parental control features are not used, avoid configuring the feature to reduce the attack surface exposed by the affected handler
# Example iptables rule on an upstream Linux gateway to block external
# access to the vulnerable Tenda administrative endpoint
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 \
-m string --string "/goform/GetParentControlInfo" --algo bm \
-j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

