CVE-2025-22946 – This CVE describes a stack overflow vulnerabili... (How to Fix)

Q: What is the severity of CVE-2025-22946?

CVE-2025-22946 has a CVSS score of 9.8 (CRITICAL). This CVE describes a stack overflow vulnerability in Tenda AC9 v1.0 routers that allows remote attackers to execute arbitrary code by sending specially crafted requests to the /goform/SetOnlineDevName endpoint. The vulnerability affects users running firmware version 15.03.05.19 on these routers, potentially giving attackers full control of the device.

📋 TL;DR

This CVE describes a stack overflow vulnerability in Tenda AC9 v1.0 routers that allows remote attackers to execute arbitrary code by sending specially crafted requests to the /goform/SetOnlineDevName endpoint. The vulnerability affects users running firmware version 15.03.05.19 on these routers, potentially giving attackers full control of the device.

💻 Affected Systems

Products:

Tenda AC9 v1.0 router

Versions: Firmware version 15.03.05.19

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerable endpoint is typically accessible via the web management interface, which may be exposed to LAN by default.

📦 What is this software?

Ac9 Firmware by Tenda

View all CVEs affecting Ac9 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote unauthenticated attacker gains complete control of the router, enabling traffic interception, credential theft, network pivoting, and persistent backdoor installation.

🟠

Likely Case

Attacker executes arbitrary code with router privileges, potentially modifying DNS settings, intercepting traffic, or using the router as a foothold into the internal network.

🟢

If Mitigated

With proper network segmentation and firewall rules, impact is limited to the router itself without lateral movement into the broader network.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is in a sprintf function with improper bounds checking, making exploitation relatively straightforward for attackers with basic reverse engineering skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Tenda's official website for firmware updates. 2. If available, download the latest firmware. 3. Log into router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and apply the new firmware. 6. Reboot the router.

🔧 Temporary Workarounds

Disable remote management

all

Prevent external access to the router's web interface

Block vulnerable endpoint

linux

Use firewall rules to block access to /goform/SetOnlineDevName

iptables -A INPUT -p tcp --dport 80 -m string --string "/goform/SetOnlineDevName" --algo bm -j DROP

🧯 If You Can't Patch

Replace the vulnerable router with a different model that receives security updates
Segment the router on an isolated network VLAN to limit potential damage

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface at 192.168.0.1 or 192.168.1.1, navigate to System Status or About page

Check Version:

curl -s http://router-ip/goform/getStatus | grep version

Verify Fix Applied:

Verify firmware version is no longer 15.03.05.19 after update

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to /goform/SetOnlineDevName with long parameter values
Router reboot events following suspicious requests

Network Indicators:

Unusual outbound connections from router IP
DNS queries to suspicious domains from router

SIEM Query:

source="router.log" AND (uri="/goform/SetOnlineDevName" AND content_length>1000)

📊 Metadata

CVE ID: CVE-2025-22946

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

EPSS Score: 1.06% exploit probability (77.2th percentile)

Published: January 10, 2025

Last Updated: April 9, 2025

🔗 References

https://noisy-caravel-a9a.notion.site/Tenda_AC9V1-0_V15-03-05-19_formSetDeviceName_sprintf_bof-16f898c94eac8057afcbceb63fda7d24 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-22946, you might also want to check these: