CVE-2025-15356 – A buffer overflow vulnerability in Tenda AC20 r... (How to Fix)

Q: What is the severity of CVE-2025-15356?

CVE-2025-15356 has a CVSS score of 8.8 (HIGH). A buffer overflow vulnerability in Tenda AC20 routers allows remote attackers to execute arbitrary code by sending specially crafted requests to the PowerSaveSet function. This affects all Tenda AC20 routers running firmware version 16.03.08.12 or earlier. The vulnerability is remotely exploitable without authentication.

📋 TL;DR

A buffer overflow vulnerability in Tenda AC20 routers allows remote attackers to execute arbitrary code by sending specially crafted requests to the PowerSaveSet function. This affects all Tenda AC20 routers running firmware version 16.03.08.12 or earlier. The vulnerability is remotely exploitable without authentication.

💻 Affected Systems

Products:

Tenda AC20

Versions: Up to and including 16.03.08.12

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. The web management interface must be accessible for exploitation.

📦 What is this software?

Ac20 Firmware by Tenda

View all CVEs affecting Ac20 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, persistent backdoor installation, and lateral movement to other network devices.

🟠

Likely Case

Router compromise allowing traffic interception, DNS hijacking, credential theft, and botnet recruitment.

🟢

If Mitigated

Limited impact if device is behind firewall with strict inbound filtering and network segmentation.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and public exploit code exists.

🏢 Internal Only: HIGH - Attackers can exploit from internal networks if they gain initial access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept exploit code is available on GitHub. Exploitation requires sending a crafted HTTP POST request to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates. 2. If update available, download and install via web interface. 3. If no update available, consider replacing device or implementing workarounds.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router web interface

Access router web interface -> Advanced Settings -> Remote Management -> Disable

Network Segmentation

all

Isolate router management interface to separate VLAN

🧯 If You Can't Patch

Replace affected Tenda AC20 router with a different model or vendor
Place router behind a firewall that blocks all inbound traffic to port 80/443

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface: Login -> System Status -> Firmware Version

Check Version:

curl -s http://router-ip/goform/getStatus | grep version

Verify Fix Applied:

Verify firmware version is newer than 16.03.08.12

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /goform/PowerSaveSet
Multiple failed login attempts followed by PowerSaveSet requests

Network Indicators:

HTTP POST requests to /goform/PowerSaveSet with unusual parameter lengths
Traffic from unexpected sources to router management port

SIEM Query:

source="router_logs" AND (uri="/goform/PowerSaveSet" OR (method="POST" AND uri CONTAINS "PowerSaveSet"))

📊 Metadata

CVE ID: CVE-2025-15356

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

EPSS Score: 0.12% exploit probability (30.3th percentile)

Published: December 30, 2025

Last Updated: December 31, 2025

🔗 References

https://github.com/xyh4ck/iot_poc/blob/main/Tenda%20AC20_Buffer_Overflow/Tenda%20AC20_Buffer_Overflow.md#poc Exploit,Third Party Advisory
https://github.com/xyh4ck/iot_poc/tree/main/Tenda%20AC20_Buffer_Overflow Exploit,Third Party Advisory
https://vuldb.com/?ctiid.338742 Permissions Required,VDB Entry
https://vuldb.com/?id.338742 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.726360 Third Party Advisory,VDB Entry
https://www.tenda.com.cn/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15356, you might also want to check these: