CVE-2025-5863 – This critical vulnerability in Tenda AC5 router... (How to Fix)

📋 TL;DR

This critical vulnerability in Tenda AC5 routers allows remote attackers to execute arbitrary code via a stack-based buffer overflow in the reboot timer function. Attackers can exploit this without authentication to potentially take full control of affected devices. All users running vulnerable firmware versions are at risk.

💻 Affected Systems

Products:

Tenda AC5

Versions: 15.03.06.47

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web management interface which is typically enabled by default on port 80/443.

📦 What is this software?

Ac5 Firmware by Tenda

View all CVEs affecting Ac5 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, network traffic interception, lateral movement to other devices, and botnet recruitment.

🟠

Likely Case

Remote code execution allowing attackers to modify router settings, intercept traffic, or use the device as a pivot point for further attacks.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted WAN access, though internal network attacks remain possible.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details available, making weaponization likely. Attack requires sending crafted HTTP request to vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.tenda.com.cn/

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates
2. Download latest firmware for AC5 model
3. Access router admin interface
4. Navigate to System Tools > Firmware Upgrade
5. Upload and install new firmware
6. Reboot router

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router web interface

Network Segmentation

all

Isolate router management interface to trusted network

🧯 If You Can't Patch

Disable the router's web management interface entirely if not needed
Implement strict firewall rules to block all external access to router management ports (80, 443, 8080)

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under System Status or System Tools

Check Version:

curl -s http://router-ip/goform/getStatus | grep version

Verify Fix Applied:

Verify firmware version is newer than 15.03.06.47 after update

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /goform/SetRebootTimer with unusually long rebootTime parameter
Multiple failed authentication attempts followed by reboot timer requests

Network Indicators:

Unusual outbound connections from router IP
HTTP requests with buffer overflow patterns to router management port

SIEM Query:

source="router_logs" AND (uri="/goform/SetRebootTimer" AND content_length>100) OR (event="buffer_overflow" AND dest_ip="router_ip")

📊 Metadata

CVE ID: CVE-2025-5863

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

EPSS Score: 0.21% exploit probability (43.2th percentile)

Published: June 9, 2025

Last Updated: June 9, 2025

🔗 References

https://lavender-bicycle-a5a.notion.site/Tenda-AC5-formSetRebootTimer-20a53a41781f80a6b9a8f6e5915cf256?source=copy_link Exploit,Third Party Advisory
https://vuldb.com/?ctiid.311622 Permissions Required
https://vuldb.com/?id.311622 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.591981 Third Party Advisory,VDB Entry
https://www.tenda.com.cn/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-5863, you might also want to check these: