CVE-2025-12595 – A buffer overflow vulnerability in Tenda AC23 r... (How to Fix)

Q: What is the severity of CVE-2025-12595?

CVE-2025-12595 has a CVSS score of 8.8 (HIGH). A buffer overflow vulnerability in Tenda AC23 routers allows remote attackers to execute arbitrary code by manipulating the argument list in the formSetVirtualSer function. This affects Tenda AC23 routers running firmware version 16.03.07.52. Attackers can exploit this without authentication to potentially take full control of affected devices.

📋 TL;DR

A buffer overflow vulnerability in Tenda AC23 routers allows remote attackers to execute arbitrary code by manipulating the argument list in the formSetVirtualSer function. This affects Tenda AC23 routers running firmware version 16.03.07.52. Attackers can exploit this without authentication to potentially take full control of affected devices.

💻 Affected Systems

Products:

Tenda AC23

Versions: 16.03.07.52

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running the vulnerable firmware version are affected. The vulnerable endpoint is accessible via web interface.

📦 What is this software?

Ac23 Firmware by Tenda

View all CVEs affecting Ac23 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, creation of persistent backdoors, lateral movement to internal networks, and botnet recruitment.

🟠

Likely Case

Remote code execution resulting in device takeover, credential theft, and use as pivot point for internal network attacks.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation.

🌐 Internet-Facing: HIGH - Remote exploitation without authentication makes internet-facing devices immediate targets.

🏢 Internal Only: MEDIUM - Internal devices still vulnerable to internal attackers or compromised hosts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available on GitHub. The vulnerability requires no authentication and has straightforward exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.tenda.com.cn/

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates. 2. Download latest firmware for AC23. 3. Log into router admin interface. 4. Navigate to System Tools > Firmware Upgrade. 5. Upload and install new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router web interface

Log into router admin > Advanced > System Tools > Remote Management > Disable

Network Segmentation

all

Isolate router management interface to separate VLAN

🧯 If You Can't Patch

Block inbound access to router web interface (port 80/443) at network perimeter
Replace vulnerable devices with patched or different vendor equipment

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface: System Status > Firmware Version. If version is 16.03.07.52, device is vulnerable.

Check Version:

curl -s http://router-ip/ | grep -i firmware

Verify Fix Applied:

After firmware update, verify version is no longer 16.03.07.52. Test if /goform/SetVirtualServerCfg endpoint still accepts malformed input.

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to /goform/SetVirtualServerCfg with long parameters
Unusual process execution in router logs
Failed authentication attempts followed by exploitation attempts

Network Indicators:

Unusual outbound connections from router
Traffic to known exploit repositories
POST requests with buffer overflow patterns to router IP

SIEM Query:

source="router_logs" AND (uri="/goform/SetVirtualServerCfg" AND content_length>1000) OR (process="malicious_binary" AND host="router")

📊 Metadata

CVE ID: CVE-2025-12595

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

Published: November 2, 2025

Last Updated: February 24, 2026

🔗 References

https://github.com/LX-LX88/cve/issues/8 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.330890 Permissions Required,VDB Entry
https://vuldb.com/?id.330890 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.677581 Third Party Advisory,VDB Entry
https://www.tenda.com.cn/ Product
https://github.com/LX-LX88/cve/issues/8 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12595, you might also want to check these: