CVE-2025-60661 – A stack overflow vulnerability in Tenda AC18 ro... (How to Fix)

📋 TL;DR

A stack overflow vulnerability in Tenda AC18 routers allows attackers to execute arbitrary code or cause denial of service by sending specially crafted requests to the cloneType parameter. This affects users running Tenda AC18 firmware version 15.03.05.19. The vulnerability requires network access to the router's web interface.

💻 Affected Systems

Products:

Tenda AC18

Versions: V15.03.05.19

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects this specific firmware version. The vulnerability is in the web management interface component.

📦 What is this software?

Ac18 Firmware by Tenda

View all CVEs affecting Ac18 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete router compromise, credential theft, network traffic interception, and lateral movement into connected devices.

🟠

Likely Case

Router crash/reboot causing temporary denial of service, requiring physical reset to restore functionality.

🟢

If Mitigated

No impact if router is not exposed to untrusted networks and firmware is updated.

🌐 Internet-Facing: HIGH - Routers with WAN management enabled or port forwarding to web interface are directly exploitable from the internet.

🏢 Internal Only: MEDIUM - Requires attacker to have network access to the router's LAN interface, making it exploitable by malicious insiders or compromised internal devices.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

The Google Drive reference contains technical details and likely includes proof-of-concept code. Exploitation requires access to the router's web interface but may not require authentication depending on configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates
2. Download latest firmware for AC18
3. Access router web interface
4. Navigate to System Tools > Firmware Upgrade
5. Upload and install new firmware
6. Reboot router after installation

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router web interface

Restrict LAN Access

all

Use firewall rules to limit which devices can access router management interface

🧯 If You Can't Patch

Isolate router on separate VLAN with strict access controls
Implement network monitoring for exploitation attempts against router management interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in web interface under System Status or System Tools > Firmware Upgrade

Check Version:

curl -s http://router-ip/goform/getStatus | grep version

Verify Fix Applied:

Verify firmware version is no longer V15.03.05.19 after update

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to /goform/advSetMacMtuWan with large cloneType parameter
Router crash/reboot events in system logs

Network Indicators:

HTTP requests with unusually long cloneType parameter values to router IP
Traffic patterns suggesting buffer overflow exploitation

SIEM Query:

source="router_logs" AND (uri_path="/goform/advSetMacMtuWan" AND content_length>1000)

📊 Metadata

CVE ID: CVE-2025-60661

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-787

EPSS Score: 0.03% exploit probability (7.3th percentile)

Published: October 2, 2025

Last Updated: October 7, 2025

🔗 References

https://drive.google.com/file/d/10bqMY1XighOBZ5D_Q8GtWFwhmxSN2GJw/view?usp=sharing Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60661, you might also want to check these: