CVE Alert: CVE-2025-11325 – Tenda – AC18

Risk verdict

High risk: remote, publicly exploitable code execution on Tenda AC18; exploitation is feasible without user interaction and could give attackers full device control.

Why this matters

Compromised routers enable traffic interception, credential harvesting, and potential pivot into the wider network. In homes and small offices, exposed management interfaces can be gateways for persistent access, data exfiltration, or lateral movement to adjacent devices.

Most likely attack path

Network-based exploit against the fast_setting_pppoe_set endpoint; no user interaction required. The attacker needs low privileges and can trigger a stack-based overflow leading to full compromise, with the device’s C/I/A all at risk.

Who is most exposed

Common in consumer/home networking deployments with WAN-facing admin access; devices with internet-connected routers and default or weak access controls are most at risk.

Detection ideas

• Unusual or repeated crashes/reboots of the device
• High CPU/memory utilisation linked to /goform/fast_setting_pppoe_set traffic
• Unexpected network requests carrying crafted Username payloads
• Admin logs showing rapid or failed login attempts from external sources
• Signature or IOC matches from known PoC exploit patterns

Mitigation and prioritisation

• Apply vendor firmware update that fixes the flaw; verify patch level before deployment
• If patching is delayed, disable or restrict remote/manageable access to the device (LAN-only management)
• Enforce strict access controls and change default/admin credentials; implement network segmentation/firewalls to limit exposure
• Monitor for indicators of exploit activity and device instability
• If KEV true or EPSS ≥ 0.5, treat as priority 1; data not provided here, so state as high-priority unless those indicators exist.