CVE-2025-11387 – A stack-based buffer overflow vulnerability exi... (How to Fix)

📋 TL;DR

A stack-based buffer overflow vulnerability exists in Tenda AC15 routers via the /goform/fast_setting_pppoe_set endpoint when manipulating the Password argument. This allows remote attackers to potentially execute arbitrary code or crash the device. Users of Tenda AC15 routers with the vulnerable firmware are affected.

💻 Affected Systems

Products:

Tenda AC15

Versions: 15.03.05.18

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web management interface which is typically enabled by default on port 80/443.

📦 What is this software?

Ac15 Firmware by Tenda

View all CVEs affecting Ac15 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, persistent backdoor installation, and lateral movement into connected networks.

🟠

Likely Case

Device crash causing denial of service, potentially requiring physical reset or firmware reflash.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted WAN access and proper network segmentation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code available on GitHub, requires network access to web interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.tenda.com.cn/

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates
2. Download latest firmware
3. Access router web interface
4. Navigate to System Tools > Firmware Upgrade
5. Upload and install new firmware
6. Reboot router

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to web management interface

Network Segmentation

all

Isolate router on separate VLAN with restricted access

🧯 If You Can't Patch

Replace affected device with supported model
Implement strict firewall rules blocking all access to router web interface from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under System Status or similar section

Check Version:

curl -s http://router-ip/goform/getStatus | grep version

Verify Fix Applied:

Verify firmware version is newer than 15.03.05.18

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /goform/fast_setting_pppoe_set with long Password parameter
Router crash/reboot logs

Network Indicators:

Unusual HTTP traffic to router management port with buffer overflow patterns

SIEM Query:

source="router_logs" AND (uri="/goform/fast_setting_pppoe_set" OR message="buffer overflow")

📊 Metadata

CVE ID: CVE-2025-11387

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

EPSS Score: 0.14% exploit probability (33.8th percentile)

Published: October 7, 2025

Last Updated: October 9, 2025

🔗 References

https://github.com/noahze01/IoT-vulnerable/blob/main/Tenda/AC15/fast_setting_pppoe_set.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.327314 Permissions Required,VDB Entry
https://vuldb.com/?id.327314 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.664970 Third Party Advisory,VDB Entry
https://www.tenda.com.cn/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11387, you might also want to check these: