Login Sign Up

CVE-2025-14654

8.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Tenda AC20 routers via a stack-based buffer overflow in the HTTP daemon. Attackers can exploit this without authentication to potentially take full control of affected devices. All users running the vulnerable firmware version are at risk.

💻 Affected Systems

Products:
  • Tenda AC20
Versions: 16.03.08.12
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerable HTTP daemon runs by default on port 80. No special configuration is required for exploitation.

📦 What is this software?

Ac20 Firmware by Tenda

View all CVEs affecting Ac20 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, network traffic interception, lateral movement to other devices, and botnet recruitment.

🟠

Likely Case

Remote code execution allowing attackers to modify router settings, intercept traffic, or use the device as a pivot point for further attacks.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering, though internal network compromise remains possible.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code exists in GitHub repositories. The vulnerability requires no authentication and has straightforward exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.tenda.com.cn/

Restart Required: Yes

Instructions:

1. Check Tenda's official website for firmware updates. 2. Download the latest firmware for AC20. 3. Log into router admin interface. 4. Navigate to System Tools > Firmware Upgrade. 5. Upload and install the new firmware. 6. Reboot the router.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to the vulnerable HTTP interface

Network Segmentation

all

Isolate AC20 routers from critical network segments

🧯 If You Can't Patch

  • Block inbound access to router web interface (port 80/443) at network perimeter
  • Replace vulnerable devices with supported models from vendors with active security updates

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin interface under System Status or System Tools > Firmware Upgrade

Check Version:

curl -s http://router-ip/ | grep -i version or check web interface

Verify Fix Applied:

Verify firmware version is newer than 16.03.08.12 after update

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /goform/setPptpUserList
  • Multiple failed buffer overflow attempts in HTTP logs
  • Unexpected router configuration changes

Network Indicators:

  • Exploit traffic patterns matching public PoCs
  • Unusual outbound connections from router IP
  • HTTP requests with oversized 'list' parameter

SIEM Query:

source="router_logs" AND (uri="/goform/setPptpUserList" OR method="POST" AND size>1000)

📊 Metadata

CVE ID: CVE-2025-14654
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119
EPSS Score: 0.09% exploit probability (25.9th percentile)
Published: December 14, 2025
Last Updated: December 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14654, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)