Login Sign Up

CVE-2025-11325

8.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

A stack-based buffer overflow vulnerability exists in Tenda AC18 routers via the /goform/fast_setting_pppoe_set endpoint. Attackers can remotely exploit this by manipulating the Username parameter to execute arbitrary code. This affects Tenda AC18 router users running vulnerable firmware.

💻 Affected Systems

Products:
  • Tenda AC18
Versions: 15.03.05.19(6318)
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability is in the web management interface's PPPoE configuration function.

📦 What is this software?

Ac18 Firmware by Tenda

View all CVEs affecting Ac18 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete router compromise, credential theft, network pivoting, and persistent backdoor installation.

🟠

Likely Case

Router compromise allowing attackers to intercept network traffic, modify DNS settings, or launch attacks against internal devices.

🟢

If Mitigated

Limited impact if the router is behind a firewall with restricted WAN access or if the vulnerable interface is not exposed.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code exists on GitHub, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.tenda.com.cn/

Restart Required: Yes

Instructions:

1. Check Tenda's website for firmware updates. 2. Download the latest firmware. 3. Log into router admin panel. 4. Navigate to System Tools > Firmware Upgrade. 5. Upload and install the new firmware.

🔧 Temporary Workarounds

Disable WAN access to admin interface

all

Prevent external access to the vulnerable endpoint by disabling remote administration.

Use firewall rules to block access

all

Block external access to port 80/443 on the router's WAN interface.

🧯 If You Can't Patch

  • Replace the vulnerable router with a different model or vendor
  • Isolate the router in a separate network segment with strict access controls

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin panel under System Status or System Tools > Firmware Upgrade.

Check Version:

Login to router web interface and check firmware version in system settings.

Verify Fix Applied:

Verify firmware version has been updated to a version newer than 15.03.05.19(6318).

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /goform/fast_setting_pppoe_set with long Username parameters
  • Router reboot or crash logs

Network Indicators:

  • External IP addresses accessing router admin interface on port 80/443
  • Unusual outbound connections from router

SIEM Query:

source="router_logs" AND (url="/goform/fast_setting_pppoe_set" OR "pppoe_set") AND (username_length>100 OR contains(username,"\x"))

📊 Metadata

CVE ID: CVE-2025-11325
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119
EPSS Score: 0.14% exploit probability (33.8th percentile)
Published: October 6, 2025
Last Updated: February 24, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11325, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)