CVE-2025-5794 – A critical buffer overflow vulnerability in Ten... (How to Fix)

Q: What is the severity of CVE-2025-5794?

CVE-2025-5794 has a CVSS score of 8.8 (HIGH). A critical buffer overflow vulnerability in Tenda AC5 routers allows remote attackers to execute arbitrary code by manipulating the PPTP user list function. This affects Tenda AC5 routers running firmware version 15.03.06.47. Attackers can exploit this without authentication to potentially take full control of affected devices.

📋 TL;DR

A critical buffer overflow vulnerability in Tenda AC5 routers allows remote attackers to execute arbitrary code by manipulating the PPTP user list function. This affects Tenda AC5 routers running firmware version 15.03.06.47. Attackers can exploit this without authentication to potentially take full control of affected devices.

💻 Affected Systems

Products:

Tenda AC5

Versions: 15.03.06.47

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web management interface's PPTP configuration function. Default configurations are vulnerable as the interface is typically accessible.

📦 What is this software?

Ac5 Firmware by Tenda

View all CVEs affecting Ac5 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, lateral movement into internal networks, persistent backdoor installation, and data exfiltration.

🟠

Likely Case

Remote code execution allowing attackers to modify router settings, intercept network traffic, or use the device as a pivot point for further attacks.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted WAN access, though internal threats could still exploit if network access is gained.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available, making weaponization likely. The vulnerability requires sending crafted HTTP requests to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.tenda.com.cn/

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates. 2. Download latest firmware for AC5 model. 3. Access router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and apply new firmware. 6. Reboot router after update.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router management interface

Network Segmentation

all

Isolate router management interface to trusted network segments only

🧯 If You Can't Patch

Replace affected devices with patched or alternative models
Implement strict network access controls to limit exposure to vulnerable interfaces

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via admin interface. If version is 15.03.06.47, device is vulnerable.

Check Version:

Login to router admin interface and check System Status or Firmware Version page

Verify Fix Applied:

Verify firmware version has been updated to a version later than 15.03.06.47

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP POST requests to /goform/setPptpUserList
Multiple failed authentication attempts followed by successful access to vulnerable endpoint
Unexpected system reboots or configuration changes

Network Indicators:

HTTP traffic to router management interface with unusual payload sizes
Traffic patterns suggesting buffer overflow attempts
Unexpected outbound connections from router

SIEM Query:

source="router_logs" AND (uri="/goform/setPptpUserList" OR method="POST" AND uri CONTAINS "setPptpUserList")

📊 Metadata

CVE ID: CVE-2025-5794

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

EPSS Score: 0.35% exploit probability (57.3th percentile)

Published: June 6, 2025

Last Updated: June 9, 2025

🔗 References

https://lavender-bicycle-a5a.notion.site/Tenda-AC5-formSetPPTPUserList-20a53a41781f806faf61cef61ed929c0?source=copy_link Exploit,Third Party Advisory
https://vuldb.com/?ctiid.311348 Permissions Required
https://vuldb.com/?id.311348 Third Party Advisory
https://vuldb.com/?submit.591223 Third Party Advisory,VDB Entry
https://www.tenda.com.cn/ Product
https://lavender-bicycle-a5a.notion.site/Tenda-AC5-formSetPPTPUserList-20a53a41781f806faf61cef61ed929c0 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-5794, you might also want to check these: