CVE Alert: CVE-2025-11324 - Tenda - AC18

CVE-2025-11324

HIGHNo exploitation known

A vulnerability was identified in Tenda AC18 15.03.05.19(6318). Affected by this vulnerability is an unknown functionality of the file /goform/setNotUpgrade. Such manipulation of the argument newVersion leads to stack-based buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used.

CVSS v3.1 (8.8)

Vendor

Tenda

Product

AC18

Versions

15.03.05.19(6318)

CWE

CWE-121, Stack-based Buffer Overflow

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R

Published

2025-10-06T06:32:06.564Z

Updated

2025-10-06T06:32:06.564Z

References

https://vuldb.com/?id.327207

https://vuldb.com/?ctiid.327207

https://vuldb.com/?submit.664526

https://github.com/noahze01/IoT-vulnerable/blob/main/Tenda/AC18/setNotUpgrade.md

https://www.tenda.com.cn/

AI Summary Analysis

Risk verdict

High risk of remote code execution on the affected device due to a network-exploitable stack overflow; a publicly available exploit exists.

Why this matters

The flaw allows an attacker to compromise confidentiality, integrity and availability, potentially gaining full control of the device. In aggregate, exploitation could enable device takeover, data exfiltration, disruption of services and lateral movement within the local network.

Most likely attack path

An attacker can trigger the overflow over the network (no user interaction required) with low effort and minimal privileges. Successful exploitation could yield high-impact access, enabling further control of the device and possible movement to other networked assets within the same LAN. The impact remains within the same security boundary unless additional access is obtained.

Who is most exposed

Consumer and SMB deployments of such gateways/IoT devices with remote management enabled or poorly segmented networks are especially at risk. Systems exposed directly to the internet or on poorly protected LANs are prime targets.

Detection ideas

Unusual endpoint crashes or device reboots tied to the affected management path.
High-volume attempts to access the setNotUpgrade endpoint or related management functions.
Memory corruption indicators in logs or crash dumps.
Anomalous CPU/memory spikes on the device during network activity.
Signatures or IOC patterns from known exploit activity.

Mitigation and prioritisation

Apply the latest firmware patch as a priority; verify update succeeds and device reboots cleanly.
If patching is delayed, disable remote management or restrict access to trusted networks; implement strong LAN segmentation.
Monitor management endpoints for anomalous activity and block suspicious IPs attempting access.
Enable and review logging for crashes, memory errors and reboot events; collect forensic data if exploitation is suspected.
Plan remediation as high priority; escalate if exploit activity signs emerge or EPSS/KEV indicators become available.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: ac18, CVE, cve-2025-11324, OSINT, tenda, threatintel