CVE-2025-9791
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Tenda AC20 routers via a stack-based buffer overflow in the /goform/fromAdvSetMacMtuWan endpoint. Attackers can exploit this by sending specially crafted requests to manipulate the wanMTU parameter. All users running the affected firmware version are at risk.
💻 Affected Systems
- Tenda AC20
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the router leading to persistent backdoor installation, network traffic interception, lateral movement to connected devices, and botnet recruitment.
Likely Case
Router takeover enabling DNS hijacking, credential theft from network traffic, and denial of service to connected devices.
If Mitigated
Limited impact if the router is behind a firewall with strict inbound filtering and network segmentation prevents lateral movement.
🎯 Exploit Status
Public proof-of-concept code exists and exploitation requires minimal technical skill due to the straightforward buffer overflow.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: Yes
Instructions:
1. Check Tenda's official website for firmware updates. 2. Download the latest firmware for AC20. 3. Log into router admin interface. 4. Navigate to System Tools > Firmware Upgrade. 5. Upload and install the new firmware. 6. Reboot the router.
🔧 Temporary Workarounds
Block External Access
linuxConfigure firewall rules to block all inbound traffic to the router's web interface from external networks.
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Disable Remote Management
allTurn off remote management features in the router settings to prevent external exploitation.
🧯 If You Can't Patch
- Isolate the router on a dedicated VLAN with strict firewall rules limiting communication to only necessary services.
- Implement network monitoring to detect exploitation attempts targeting the /goform/fromAdvSetMacMtuWan endpoint.
🔍 How to Verify
Check if Vulnerable:
Check router firmware version in admin interface under System Status or System Tools > Firmware Upgrade.Check Version:
curl -s http://router-ip/goform/status | grep versionVerify Fix Applied:
Verify firmware version has changed from 16.03.08.05 to a newer version after update.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /goform/fromAdvSetMacMtuWan with abnormal wanMTU parameter values
- Router crash/reboot logs
Network Indicators:
- Unusual outbound connections from router to unknown IPs
- DNS query anomalies suggesting hijacking
SIEM Query:
source="router.log" AND (uri_path="/goform/fromAdvSetMacMtuWan" AND post_data CONTAINS "wanMTU")🔗 References
- https://github.com/Cpppq43/Tenda/blob/main/Tenda_AC20_V16.03.08.05.md
- https://github.com/Cpppq43/Tenda/blob/main/Tenda_AC20_V16.03.08.05.md#poc
- https://vuldb.com/?ctiid.322106
- https://vuldb.com/?id.322106
- https://vuldb.com/?submit.641088
- https://www.tenda.com.cn/
- https://github.com/Cpppq43/Tenda/blob/main/Tenda_AC20_V16.03.08.05.md
- https://github.com/Cpppq43/Tenda/blob/main/Tenda_AC20_V16.03.08.05.md#poc
