CVE-2025-5847 – This critical vulnerability in Tenda AC9 router... (How to Fix)

Q: What is the severity of CVE-2025-5847?

CVE-2025-5847 has a CVSS score of 8.8 (HIGH). This critical vulnerability in Tenda AC9 routers allows remote attackers to execute arbitrary code via a stack-based buffer overflow in the web management interface. Attackers can exploit this by sending specially crafted HTTP POST requests to the vulnerable endpoint. All users running affected firmware versions are at risk.

📋 TL;DR

This critical vulnerability in Tenda AC9 routers allows remote attackers to execute arbitrary code via a stack-based buffer overflow in the web management interface. Attackers can exploit this by sending specially crafted HTTP POST requests to the vulnerable endpoint. All users running affected firmware versions are at risk.

💻 Affected Systems

Products:

Tenda AC9

Versions: 15.03.02.13

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the default web management interface accessible on port 80. Remote management may be enabled by default in some configurations.

📦 What is this software?

Ac9 Firmware by Tenda

View all CVEs affecting Ac9 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, network traffic interception, lateral movement to connected devices, and botnet recruitment.

🟠

Likely Case

Remote code execution allowing attacker to modify router settings, intercept traffic, deploy malware, or use the device as a pivot point for further attacks.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted WAN access, though internal network attacks remain possible.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable via HTTP requests to the web interface, making internet-exposed devices immediate targets.

🏢 Internal Only: HIGH - Even internally, any attacker with network access can exploit this vulnerability to compromise the router.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details are available, and the vulnerability requires no authentication, making it trivial to weaponize.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.tenda.com.cn/

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates. 2. Download latest firmware for AC9 model. 3. Access router web interface. 4. Navigate to System Tools > Firmware Upgrade. 5. Upload and install new firmware. 6. Reboot router after installation.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to the vulnerable web interface by disabling remote management features.

Network Segmentation

all

Isolate the router on a separate VLAN with restricted access to prevent lateral movement if compromised.

🧯 If You Can't Patch

Replace affected devices with patched or alternative models
Implement strict network access controls to limit traffic to router management interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface at System Status > Firmware Version. If version is 15.03.02.13, device is vulnerable.

Check Version:

curl -s http://router-ip/ | grep -i firmware or check web interface directly

Verify Fix Applied:

After firmware update, verify version is no longer 15.03.02.13. Test by attempting to access /goform/SetRemoteWebCfg with monitoring for crash or unexpected behavior.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /goform/SetRemoteWebCfg with abnormal remoteIp parameter length
Router crash/reboot logs
Unusual process execution on router

Network Indicators:

HTTP traffic to router port 80 with POST to vulnerable endpoint
Unusual outbound connections from router after exploitation

SIEM Query:

source="router-logs" AND (uri_path="/goform/SetRemoteWebCfg" AND method="POST" AND content_length>100)

📊 Metadata

CVE ID: CVE-2025-5847

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

EPSS Score: 0.15% exploit probability (35.4th percentile)

Published: June 8, 2025

Last Updated: June 9, 2025

🔗 References

https://candle-throne-f75.notion.site/Tenda-AC9-formSetSafeWanWebMan-20adf0aa118580a29e80cef9109c947a Exploit,Third Party Advisory
https://vuldb.com/?ctiid.311593 Permissions Required
https://vuldb.com/?id.311593 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.591362 Third Party Advisory,VDB Entry
https://www.tenda.com.cn/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-5847, you might also want to check these: