CVE-2025-63835 – A stack-based buffer overflow vulnerability in ... (How to Fix)

Q: What is the severity of CVE-2025-63835?

CVE-2025-63835 has a CVSS score of 8.8 (HIGH). A stack-based buffer overflow vulnerability in Tenda AC18 routers allows remote attackers to crash the device or potentially execute arbitrary code by sending oversized data to the guestSsid parameter. This affects Tenda AC18 routers running firmware version 15.03.05.05_multi. Attackers can exploit this without authentication over the network.

📋 TL;DR

A stack-based buffer overflow vulnerability in Tenda AC18 routers allows remote attackers to crash the device or potentially execute arbitrary code by sending oversized data to the guestSsid parameter. This affects Tenda AC18 routers running firmware version 15.03.05.05_multi. Attackers can exploit this without authentication over the network.

💻 Affected Systems

Products:

Tenda AC18

Versions: v15.03.05.05_multi

Operating Systems: Embedded Linux firmware

Default Config Vulnerable: ⚠️ Yes

Notes: The guest WiFi feature must be enabled for the vulnerable interface to be accessible, but this is commonly enabled in default configurations.

📦 What is this software?

Ac18 Firmware by Tenda

View all CVEs affecting Ac18 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, persistent backdoor installation, and lateral movement into internal networks.

🟠

Likely Case

Denial of service causing device crash and network disruption, requiring physical reboot to restore functionality.

🟢

If Mitigated

Limited to denial of service if exploit mitigations like ASLR/NX are effective, but device still crashes.

🌐 Internet-Facing: HIGH - The vulnerable interface is accessible over network without authentication, making internet-exposed devices prime targets.

🏢 Internal Only: HIGH - Even internally, any network-accessible device can be exploited without authentication.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept code demonstrates reliable denial of service. Remote code execution would require additional exploit development but is feasible given the buffer overflow nature.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No vendor advisory found at time of analysis

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates. 2. Download latest firmware for AC18 model. 3. Access router admin interface. 4. Navigate to System Tools > Firmware Upgrade. 5. Upload and install new firmware. 6. Reboot router after installation.

🔧 Temporary Workarounds

Disable Guest WiFi

all

Disable the guest WiFi feature to remove access to the vulnerable /goform/WifiGuestSet interface.

Access router admin interface > Wireless Settings > Guest Network > Disable Guest WiFi

Network Segmentation

all

Isolate Tenda AC18 routers in separate VLAN with strict firewall rules blocking access to management interfaces.

Configure firewall to block external access to port 80/443 on router IP
Create separate VLAN for IoT devices

🧯 If You Can't Patch

Disable guest WiFi feature immediately through admin interface
Block external WAN access to router management interface using firewall rules

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin interface under System Status or System Tools > Firmware Upgrade page.

Check Version:

curl -s http://router-ip/goform/getStatus | grep version or check web interface

Verify Fix Applied:

Verify firmware version has changed from v15.03.05.05_multi to a newer version, and test that guest WiFi functionality still works if needed.

📡 Detection & Monitoring

Log Indicators:

Repeated POST requests to /goform/WifiGuestSet with large payloads
Router crash/reboot events in system logs
Unusual network traffic to router management interface

Network Indicators:

HTTP POST requests to /goform/WifiGuestSet with oversized guestSsid parameter (> normal SSID length)
Sudden loss of connectivity to router

SIEM Query:

http.method:POST AND http.uri:"/goform/WifiGuestSet" AND http.request_body:"guestSsid=" AND bytes > 500

📊 Metadata

CVE ID: CVE-2025-63835

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

EPSS Score: 0.27% exploit probability (49.8th percentile)

Published: November 10, 2025

Last Updated: November 18, 2025

🔗 References

https://github.com/babraink/cve_report/blob/main/cve_report/tenda/tendaAC18/2_wifiguest_guestssid_overflow/README.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63835, you might also want to check these: