CVE-2025-5849 – A critical stack-based buffer overflow vulnerab... (How to Fix)

Q: What is the severity of CVE-2025-5849?

CVE-2025-5849 has a CVSS score of 8.8 (HIGH). A critical stack-based buffer overflow vulnerability in Tenda AC15 routers allows remote attackers to execute arbitrary code by sending specially crafted HTTP POST requests to the /goform/SetRemoteWebCfg endpoint. This affects Tenda AC15 routers running firmware version 15.03.05.19_multi. Attackers can exploit this without authentication to potentially take full control of affected devices.

📋 TL;DR

A critical stack-based buffer overflow vulnerability in Tenda AC15 routers allows remote attackers to execute arbitrary code by sending specially crafted HTTP POST requests to the /goform/SetRemoteWebCfg endpoint. This affects Tenda AC15 routers running firmware version 15.03.05.19_multi. Attackers can exploit this without authentication to potentially take full control of affected devices.

💻 Affected Systems

Products:

Tenda AC15

Versions: 15.03.05.19_multi

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the specific firmware version only. The vulnerable endpoint is accessible by default.

📦 What is this software?

Ac15 Firmware by Tenda

View all CVEs affecting Ac15 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, lateral movement to internal networks, persistent backdoor installation, and data exfiltration.

🟠

Likely Case

Router takeover allowing traffic interception, DNS hijacking, credential theft, and use as botnet node.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted WAN access, though internal threats remain possible.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable via HTTP requests, making internet-exposed devices immediate targets.

🏢 Internal Only: HIGH - Even internally, the vulnerability requires no authentication and can be exploited by any network user.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details are available, making exploitation straightforward for attackers with basic skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.tenda.com.cn/

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates. 2. Download latest firmware for AC15. 3. Access router admin interface. 4. Navigate to System Tools > Firmware Upgrade. 5. Upload and install new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to the vulnerable endpoint by disabling remote management features.

Network Segmentation

all

Isolate AC15 routers in separate VLAN with strict firewall rules blocking unnecessary HTTP traffic.

🧯 If You Can't Patch

Replace affected routers with different models or brands that are not vulnerable
Implement strict network access controls to limit traffic to router management interfaces

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under System Status or System Tools. If version is exactly 15.03.05.19_multi, device is vulnerable.

Check Version:

No CLI command available. Must check via web interface at http://router_ip or via admin panel.

Verify Fix Applied:

After updating firmware, verify version has changed from 15.03.05.19_multi to a newer version.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /goform/SetRemoteWebCfg with unusual remoteIp parameter values
Router crash or reboot logs
Unusual outbound connections from router

Network Indicators:

HTTP traffic to router on port 80/443 with POST to vulnerable endpoint
Unusual payload sizes in HTTP requests to router

SIEM Query:

source="router_logs" AND (url="/goform/SetRemoteWebCfg" OR url="*SetRemoteWebCfg*") AND method="POST"

📊 Metadata

CVE ID: CVE-2025-5849

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

EPSS Score: 0.15% exploit probability (35.4th percentile)

Published: June 8, 2025

Last Updated: June 9, 2025

🔗 References

https://candle-throne-f75.notion.site/Tenda-AC15-formSetSafeWanWebMan-20adf0aa1185806daab3ebe0036266cb Exploit,Third Party Advisory
https://vuldb.com/?ctiid.311595 Permissions Required
https://vuldb.com/?id.311595 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.591375 Third Party Advisory,VDB Entry
https://www.tenda.com.cn/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-5849, you might also want to check these: