CVE Alert: CVE-2025-10803 – Tenda – AC23
CVE-2025-10803
A vulnerability has been found in Tenda AC23 up to 16.03.07.52. Affected by this vulnerability is the function sscanf of the file /goform/SetPptpServerCfg of the component HTTP POST Request Handler. Such manipulation of the argument startIp leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
AI Summary Analysis
Risk verdict
High risk: remote, network-based code execution with a publicly available PoC; attacker needs only low privileges on the target.
Why this matters
The vulnerability allows full Confidentiality, Integrity and Availability impact if exploited, enabling an attacker to seize control of the device and potentially pivot to adjacent systems. With a PoC and public exploit, opportunistic attackers can rapidly weaponise exposed devices, increasing likelihood of widespread disruption or data exposure in consumer/SMB networks.
Most likely attack path
An attacker discovers an Internet- or LAN-accessible instance via standard scanning, then sends a crafted HTTP POST to the affected endpoint, exploiting a sscanf buffer overflow in startIp. Exploitation requires low privileges and no user interaction, leading to immediate memory corruption and full compromise. The unchanged scope and total impact indicate the attacker may retain control without broad lateral movement prerequisites, enabling device takeover or targeted data manipulation.
Who is most exposed
Commonly deployed in home and small business networks with WAN exposure and outward-facing HTTP management enabled or insufficiently protected. Devices in these environments often lack strict segmentation, making a compromised router a strong foothold for broader network access.
Detection ideas
- Unusual HTTP POSTs to /goform/SetPptpServerCfg with oversized or malformed startIp values
- Repeated crashes or memory allocation failures in the HTTP POST handler
- Logs showing unexpected process terminations, core dumps, or abnormal PPP-related activity
- Anomalous reboot/restore events following POST requests
- Increased outbound connections or abnormal data patterns from the device
Mitigation and prioritisation
- Apply the vendor update (patch to a fixed 16.03.07.52+/later) or newer firmware immediately; verify integrity of the update
- Disable or restrict remote management/HTTP access to the device from untrusted networks; enforce tight ACLs
- Place devices behind segment firewalls or WAF rules filtering the affected endpoint; monitor for POST anomalies
- Review network topology: isolate IoT/edge devices from critical assets; enforce network segmentation
- Schedule patching within the current maintenance window; confirm successful rollout and re-check logs for exploitation indicators
Note: EPSS data is not provided; KEV status not explicitly stated. If KEV or EPSS≥0.5 is confirmed, elevate prioritisation accordingly.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
