CVE Alert: CVE-2025-11326 – Tenda – AC18
CVE-2025-11326
A weakness has been identified in Tenda AC18 15.03.05.19(6318). This affects an unknown part of the file /goform/WifiMacFilterSet. Executing manipulation of the argument wifi_chkHz can lead to stack-based buffer overflow. The attack may be performed from remote. The exploit has been made available to the public and could be exploited.
AI Summary Analysis
Risk verdict
Public PoC exists and the exploit is remotely actionable against Tenda AC18, marking it as a high-priority, real-world threat.
Why this matters
The stack-based overflow on a network-exposed path enables full device compromise without user interaction, risking router takeover, traffic interception, and lateral movement into connected networks. Given the high impact and remote access, affected deployments in homes and small offices are at notable risk.
Most likely attack path
- Attack vector: network-based exploit (AV:N, UI:N) requiring no user interaction.
- Preconditions: attacker needs access to the device over the network and only low privileges (PR:L) to trigger the overflow.
- Outcome: remote code execution with full control (C/H I/H A/H), enabling persistent access and potential network pivot.
Who is most exposed
Commonly deployed in consumer routers and small office setups; devices with WAN-facing management and exposed UPnP or remote administration are especially at risk.
Detection ideas
- Unusual or repeated requests to /goform/WifiMacFilterSet, especially with crafted wifi_chkHz values.
- Router reboot crashes or memory corruption symptoms following network traffic.
- Anomalous CPU/memory usage on the device or exploit-specific crash logs.
- Unusual POST/GET patterns and malformed parameter lengths in related endpoints.
- IDS/IPS signatures or public PoC indicators triggering alerts on this endpoint.
Mitigation and prioritisation
- Apply firmware update from Tenda addressing this overflow as soon as available; verify patch version and integrity.
- If patching is not yet possible, disable remote management and limit WAN access to the router’s admin interface; implement strict firewall rules.
- Enforce network segmentation and monitor for traffic to the vulnerable endpoint; consider disablement of WifiMacFilterSet functionality if feasible.
- Collect and analyse device logs for overflow indicators; prepare rollback and testing procedures for firmware changes.
- Treat as high-priority given PoC availability and remote, unauthenticated-appearing risk, and escalate if active exploitation indicators appear in your environment.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
