CVE-2025-9023 – A buffer overflow vulnerability in Tenda AC7 an... (How to Fix)

Q: What is the severity of CVE-2025-9023?

CVE-2025-9023 has a CVSS score of 8.8 (HIGH). A buffer overflow vulnerability in Tenda AC7 and AC18 routers allows remote attackers to execute arbitrary code by manipulating the Time parameter in the formSetSchedLed function. This affects routers running vulnerable firmware versions, potentially giving attackers full control of the device. The vulnerability is remotely exploitable without authentication.

📋 TL;DR

A buffer overflow vulnerability in Tenda AC7 and AC18 routers allows remote attackers to execute arbitrary code by manipulating the Time parameter in the formSetSchedLed function. This affects routers running vulnerable firmware versions, potentially giving attackers full control of the device. The vulnerability is remotely exploitable without authentication.

💻 Affected Systems

Products:

Tenda AC7
Tenda AC18

Versions: 15.03.05.19, 15.03.06.44

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects routers with web management interface enabled (default configuration).

📦 What is this software?

Ac18 Firmware by Tenda

View all CVEs affecting Ac18 Firmware →

Ac7 Firmware by Tenda

View all CVEs affecting Ac7 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, network infiltration, credential theft, and persistent backdoor installation.

🟠

Likely Case

Router takeover enabling traffic interception, DNS manipulation, credential harvesting, and lateral movement into connected networks.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering, though internal network compromise remains possible.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects internet-facing routers with web management interfaces exposed.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they have network access to the router's management interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code exists in GitHub repositories, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found in provided references

Restart Required: Yes

Instructions:

1. Check Tenda's official website for firmware updates. 2. Download latest firmware for your model. 3. Access router web interface. 4. Navigate to firmware upgrade section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable remote management

all

Prevent external access to router web interface

Restrict management interface access

all

Limit web interface access to specific IP addresses

🧯 If You Can't Patch

Isolate affected routers in separate network segments
Implement strict firewall rules blocking all inbound traffic to router management ports (typically 80/443)

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface: Login > System Status > Firmware Version

Check Version:

No CLI command available; must use web interface

Verify Fix Applied:

Verify firmware version is no longer 15.03.05.19 or 15.03.06.44

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /goform/SetLEDCfg
Multiple failed buffer overflow attempts
Unexpected router reboots

Network Indicators:

Unusual traffic patterns from router
Suspicious outbound connections from router
DNS hijacking attempts

SIEM Query:

source="router_logs" AND (uri="/goform/SetLEDCfg" OR message="buffer overflow" OR message="formSetSchedLed")

📊 Metadata

CVE ID: CVE-2025-9023

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

EPSS Score: 0.37% exploit probability (58.4th percentile)

Published: August 15, 2025

Last Updated: October 3, 2025

🔗 References

https://github.com/zezhifu1/cve_report/blob/main/AC18/formsetschedled.md Exploit,Third Party Advisory
https://github.com/zezhifu1/cve_report/blob/main/AC7/formsetschedled.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.320088 Permissions Required,VDB Entry
https://vuldb.com/?id.320088 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.629692 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.629696 Third Party Advisory,VDB Entry
https://www.tenda.com.cn/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-9023, you might also want to check these: