Login Sign Up

CVE-2025-11528

8.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

This vulnerability in Tenda AC7 routers allows remote attackers to execute arbitrary code via a stack-based buffer overflow in the saveAutoQos function. Attackers can exploit this without authentication to potentially take full control of affected devices. Users of Tenda AC7 routers with firmware version 15.03.06.44 are affected.

💻 Affected Systems

Products:
  • Tenda AC7
Versions: 15.03.06.44
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web management interface component. All devices running this firmware version are vulnerable.

📦 What is this software?

Ac7 Firmware by Tenda

View all CVEs affecting Ac7 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing persistent remote access, network traffic interception, and lateral movement to other devices on the network.

🟠

Likely Case

Remote code execution leading to device takeover, creation of botnet nodes, or deployment of malware.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation.

🌐 Internet-Facing: HIGH - Remote exploitation is possible and public exploit exists.
🏢 Internal Only: MEDIUM - Still vulnerable to internal attackers or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code exists on GitHub. Remote exploitation requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.tenda.com.cn/

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates. 2. Download latest firmware. 3. Access router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable remote management

all

Prevent external access to router web interface

Access router admin panel -> Advanced Settings -> Remote Management -> Disable

Network segmentation

all

Isolate router management interface from untrusted networks

Configure firewall rules to block external access to port 80/443 on router IP

🧯 If You Can't Patch

  • Replace affected devices with patched or different vendor equipment
  • Implement strict network access controls to limit exposure of router management interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under System Status or About page

Check Version:

curl -s http://router-ip/goform/getStatus | grep version

Verify Fix Applied:

Verify firmware version is newer than 15.03.06.44 after update

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /goform/saveAutoQos
  • Multiple failed buffer overflow attempts
  • Unexpected device reboots

Network Indicators:

  • HTTP requests with long enable parameter values to router IP
  • Traffic spikes to router management port

SIEM Query:

source="router.log" AND (uri="/goform/saveAutoQos" OR "enable=" AND length>100)

📊 Metadata

CVE ID: CVE-2025-11528
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119
EPSS Score: 0.14% exploit probability (33.8th percentile)
Published: October 9, 2025
Last Updated: October 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11528, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)