CVE Alert: CVE-2025-9791 – Tenda – AC20
CVE-2025-9791
A weakness has been identified in Tenda AC20 16.03.08.05. This vulnerability affects unknown code of the file /goform/fromAdvSetMacMtuWan. This manipulation of the argument wanMTU causes stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited.
AI Summary Analysis
Risk verdict
High risk of remote code execution on affected Tenda AC20 devices due to a stack-based overflow, with a publicly available exploit increasing likelihood; prioritise if the device is network-reachable.
Why this matters
Compromise of the router yields full control over the network perimeter, enabling data exfiltration, manipulation, or disruption of services. Attackers can pivot to internal assets or neighbouring devices, elevating impact across consumer and small-business environments that rely on these routers.
Most likely attack path
An attacker with network access can send a crafted wanMTU value to /goform/fromAdvSetMacMtuWan, triggering a stack overflow and remote code execution. No user interaction is required and low privileges suffice, with the potential for full device compromise and data/availability impact within the affected scope.
Who is most exposed
Most at risk are home and small-office deployments with internet-facing management interfaces or port-forwarded access, particularly devices deployed in environments where WAN/MTU configuration is exposed to external networks.
Detection ideas
- Unusual or crafted WAN MTU requests observed targeting /goform/fromAdvSetMacMtuWan
- Router crashes, memory corruption errors, or abnormal kernel/diagnostic logs
- Repeated unauthorized admin-interface access attempts from external networks
- Indicators from PoC/SIGNATUREs in security tooling or threat intel feeds
Mitigation and prioritisation
- Apply vendor-supplied firmware patch (16.03.08.05 or newer) immediately; verify integrity after update
- Where possible, disable or restrict WAN MTU/configuration manipulation exposed to the internet
- Enforce network access controls: restrict management interfaces to trusted networks, disable remote management, implement strict ACLs
- Segment networks to limit router exposure, and monitor for anomalous router reboots or crashes
- Schedule test deployment in a controlled environment prior to broad rollout; ensure asset inventory is updated
- Note: if KEV is true or EPSS ≥ 0.5, treat as priority 1 (noted when such indicators are present).
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
