CVE-2025-11328 – This vulnerability in Tenda AC18 routers allows... (How to Fix)

Q: What is the severity of CVE-2025-11328?

CVE-2025-11328 has a CVSS score of 8.8 (HIGH). This vulnerability in Tenda AC18 routers allows remote attackers to execute arbitrary code via a stack-based buffer overflow in the DDNS configuration endpoint. Attackers can exploit this without authentication to potentially take full control of affected devices. All users running the vulnerable firmware version are at risk.

📋 TL;DR

This vulnerability in Tenda AC18 routers allows remote attackers to execute arbitrary code via a stack-based buffer overflow in the DDNS configuration endpoint. Attackers can exploit this without authentication to potentially take full control of affected devices. All users running the vulnerable firmware version are at risk.

💻 Affected Systems

Products:

Tenda AC18

Versions: 15.03.05.19(6318)

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web management interface's DDNS configuration endpoint. No special configuration required for exploitation.

📦 What is this software?

Ac18 Firmware by Tenda

View all CVEs affecting Ac18 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, network traffic interception, lateral movement to internal networks, and botnet recruitment.

🟠

Likely Case

Remote code execution allowing attackers to modify router settings, intercept traffic, or use the device as a pivot point for further attacks.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted WAN access, though internal threats remain possible.

🌐 Internet-Facing: HIGH - Exploitable remotely without authentication, public exploit available, and routers are typically internet-facing.

🏢 Internal Only: MEDIUM - Still exploitable from internal networks, but requires attacker to have network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code available on GitHub. Remote exploitation requires no authentication. Simple buffer overflow with predictable exploitation path.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.tenda.com.cn/

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates. 2. Download latest firmware. 3. Access router admin panel. 4. Navigate to System Tools > Firmware Upgrade. 5. Upload and install new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router web interface

Block Access to Vulnerable Endpoint

linux

Use firewall rules to block /goform/SetDDNSCfg

iptables -A INPUT -p tcp --dport 80 -m string --string "/goform/SetDDNSCfg" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "/goform/SetDDNSCfg" --algo bm -j DROP

🧯 If You Can't Patch

Isolate router on separate VLAN with strict firewall rules
Implement network segmentation to limit router access to management network only

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin panel under System Status or System Tools > Firmware Upgrade. If version is 15.03.05.19(6318), device is vulnerable.

Check Version:

Check via web interface or use curl: curl -s http://router-ip/ | grep -i firmware

Verify Fix Applied:

Verify firmware version has changed from 15.03.05.19(6318) to a newer version after update.

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to /goform/SetDDNSCfg with long ddnsEn parameter
Router crash/reboot logs
Unusual configuration changes to DDNS settings

Network Indicators:

Exploit traffic patterns to router management interface
Shellcode patterns in HTTP POST data
Unexpected outbound connections from router

SIEM Query:

source="router" AND (url="/goform/SetDDNSCfg" AND method="POST" AND content_length>1000)

📊 Metadata

CVE ID: CVE-2025-11328

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

EPSS Score: 0.14% exploit probability (33.8th percentile)

Published: October 6, 2025

Last Updated: October 7, 2025

🔗 References

https://github.com/noahze01/IoT-vulnerable/blob/main/Tenda/AC18/SetDDNSCfg.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.327211 Permissions Required,VDB Entry
https://vuldb.com/?id.327211 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.664533 Third Party Advisory,VDB Entry
https://www.tenda.com.cn/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11328, you might also want to check these: