CVE-2025-57528 – This vulnerability in Tenda AC6 routers allows ... (How to Fix)

📋 TL;DR

This vulnerability in Tenda AC6 routers allows attackers to cause denial of service through buffer overflow in the formSetCfm function. Attackers can crash the device by sending specially crafted requests to the SetCfm URI path. Users of affected Tenda AC6 router models are at risk.

💻 Affected Systems

Products:

Tenda AC6

Versions: US_AC6V1.0BR_V15.03.05.16_multi_TD01

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects specific firmware version; other versions may also be vulnerable but unconfirmed.

📦 What is this software?

Ac6 Firmware by Tenda

View all CVEs affecting Ac6 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device crash requiring physical power cycle, potentially leading to extended network downtime and service disruption.

🟠

Likely Case

Router becomes unresponsive, requiring reboot and causing temporary network outage for connected devices.

🟢

If Mitigated

With proper network segmentation and access controls, impact limited to isolated network segment.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, making them directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit if they gain network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public GitHub repository contains detailed exploitation information and proof-of-concept.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates
2. Download latest firmware for AC6 model
3. Access router admin interface
4. Navigate to firmware upgrade section
5. Upload and apply new firmware
6. Reboot router after update

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict access to router admin interface to trusted IP addresses only

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

Disable Remote Management

all

Turn off remote administration features if not needed

🧯 If You Can't Patch

Segment router management to isolated VLAN with strict access controls
Implement network monitoring for unusual traffic patterns to SetCfm endpoint

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under System Status or Firmware Upgrade section

Check Version:

curl -s http://router-ip/status.cgi | grep firmware

Verify Fix Applied:

Verify firmware version has been updated to a version later than US_AC6V1.0BR_V15.03.05.16_multi_TD01

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to /SetCfm endpoint
Router crash/reboot events in system logs
Buffer overflow error messages

Network Indicators:

Unusual HTTP POST requests to router IP on port 80 targeting /SetCfm
Traffic containing funcname, funcpara1, funcpara2 parameters

SIEM Query:

source="router_logs" AND (uri_path="/SetCfm" OR message="*buffer overflow*")

📊 Metadata

CVE ID: CVE-2025-57528

CVSS v3 Score: 7.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

CWE: CWE-20

EPSS Score: 0.14% exploit probability (34th percentile)

Published: September 19, 2025

Last Updated: October 3, 2025

🔗 References

https://github.com/faqiadegege/IoTVuln/blob/main/tendaAc6_formSetCfm_funcname_overflow/detail.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-57528, you might also want to check these: