CVE-2025-11120 – A buffer overflow vulnerability in Tenda AC8 ro... (How to Fix)

Q: What is the severity of CVE-2025-11120?

CVE-2025-11120 has a CVSS score of 8.8 (HIGH). A buffer overflow vulnerability in Tenda AC8 routers allows remote attackers to execute arbitrary code by exploiting the formSetServerConfig function. This affects Tenda AC8 routers running firmware version 16.03.34.06. Attackers can compromise the router remotely without authentication.

📋 TL;DR

A buffer overflow vulnerability in Tenda AC8 routers allows remote attackers to execute arbitrary code by exploiting the formSetServerConfig function. This affects Tenda AC8 routers running firmware version 16.03.34.06. Attackers can compromise the router remotely without authentication.

💻 Affected Systems

Products:

Tenda AC8

Versions: 16.03.34.06

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: All Tenda AC8 routers running the vulnerable firmware version are affected regardless of configuration.

📦 What is this software?

Ac18 Firmware by Tenda

View all CVEs affecting Ac18 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise leading to persistent backdoor installation, network traffic interception, and lateral movement to connected devices.

🟠

Likely Case

Router takeover enabling DNS hijacking, credential theft, and botnet recruitment.

🟢

If Mitigated

Limited impact if router is behind firewall with restricted WAN access and regular firmware updates.

🌐 Internet-Facing: HIGH - Remote exploitation without authentication makes internet-exposed routers immediate targets.

🏢 Internal Only: MEDIUM - Internal attackers could exploit if they gain network access, but requires specific targeting.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code exists on GitHub, making exploitation accessible even to less skilled attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.tenda.com.cn/

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates 2. Download latest firmware 3. Access router admin interface 4. Upload and install new firmware 5. Reboot router

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router administration interface

Network Segmentation

all

Isolate router management interface to separate VLAN

🧯 If You Can't Patch

Replace affected routers with different models or brands
Implement strict firewall rules blocking all WAN access to router management ports

🔍 How to Verify

Check if Vulnerable:

Access router admin interface and check firmware version matches 16.03.34.06

Check Version:

Check router web interface or use nmap/router scanning tools

Verify Fix Applied:

Verify firmware version has been updated to a version later than 16.03.34.06

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /goform/SetServerConfig
Router reboot events
Configuration changes

Network Indicators:

Exploit traffic patterns to router management interface
Unusual outbound connections from router

SIEM Query:

source="router_logs" AND (uri="/goform/SetServerConfig" OR event="buffer_overflow")

📊 Metadata

CVE ID: CVE-2025-11120

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

EPSS Score: 0.18% exploit probability (39.7th percentile)

Published: September 28, 2025

Last Updated: October 3, 2025

🔗 References

https://github.com/alc9700jmo/CVE/issues/19 Exploit,Issue Tracking
https://vuldb.com/?ctiid.326201 Permissions Required,VDB Entry
https://vuldb.com/?id.326201 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.664065 Third Party Advisory,VDB Entry
https://www.tenda.com.cn/ Product
https://github.com/alc9700jmo/CVE/issues/19 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11120, you might also want to check these: