CVE-2025-15217 – A buffer overflow vulnerability in Tenda AC23 r... (How to Fix)

Q: What is the severity of CVE-2025-15217?

CVE-2025-15217 has a CVSS score of 8.8 (HIGH). A buffer overflow vulnerability in Tenda AC23 routers allows remote attackers to execute arbitrary code by sending specially crafted HTTP POST requests to the formSetPPTPUserList function. This affects Tenda AC23 routers running firmware version 16.03.07.52. Attackers can exploit this without authentication from the network.

📋 TL;DR

A buffer overflow vulnerability in Tenda AC23 routers allows remote attackers to execute arbitrary code by sending specially crafted HTTP POST requests to the formSetPPTPUserList function. This affects Tenda AC23 routers running firmware version 16.03.07.52. Attackers can exploit this without authentication from the network.

💻 Affected Systems

Products:

Tenda AC23

Versions: 16.03.07.52

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the HTTP POST request handler component; vulnerable in default configuration with PPTP features enabled.

📦 What is this software?

Ac23 Firmware by Tenda

View all CVEs affecting Ac23 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete router compromise, credential theft, network pivoting, and persistent backdoor installation.

🟠

Likely Case

Router takeover enabling traffic interception, DNS manipulation, and network disruption.

🟢

If Mitigated

Limited impact if router is behind firewall with restricted WAN access and strong network segmentation.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices directly accessible from WAN interfaces.

🏢 Internal Only: MEDIUM - Internal attackers could exploit if they gain network access, but external exposure is primary concern.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public technical details available; buffer overflow manipulation of 'list' argument enables remote exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.tenda.com.cn/

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates 2. Download latest firmware 3. Access router admin interface 4. Upload and apply firmware update 5. Reboot router

🔧 Temporary Workarounds

Disable Remote Management

all

Disable WAN access to router administration interface

Access router admin > Advanced > System > Remote Management > Disable

Network Segmentation

linux

Place router behind firewall with restricted inbound access

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Replace affected Tenda AC23 router with different model or vendor
Implement strict network ACLs to block all inbound traffic to router management interfaces

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface: System Status > Firmware Version

Check Version:

curl -s http://router-ip/status.cgi | grep version

Verify Fix Applied:

Verify firmware version is newer than 16.03.07.52 after update

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP POST requests to formSetPPTPUserList endpoint
Multiple failed buffer overflow attempts in router logs
Unexpected router reboots or crashes

Network Indicators:

HTTP POST requests with oversized 'list' parameter to router IP
Traffic patterns suggesting router compromise (unusual outbound connections)

SIEM Query:

source="router.log" AND "formSetPPTPUserList" AND (POST OR buffer)

📊 Metadata

CVE ID: CVE-2025-15217

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

EPSS Score: 0.1% exploit probability (26.8th percentile)

Published: December 30, 2025

Last Updated: February 24, 2026

🔗 References

https://lavender-bicycle-a5a.notion.site/Tenda-AC23-formSetPPTPUserList-2d753a41781f8091b772cf9e66a687f1?source=copy_link Exploit,Third Party Advisory
https://vuldb.com/?ctiid.338602 Permissions Required,VDB Entry
https://vuldb.com/?id.338602 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.725448 Third Party Advisory,VDB Entry
https://www.tenda.com.cn/ Product
https://lavender-bicycle-a5a.notion.site/Tenda-AC23-formSetPPTPUserList-2d753a41781f8091b772cf9e66a687f1 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15217, you might also want to check these: