CVE Alert: CVE-2025-11389 – Tenda – AC15
CVE-2025-11389
A security flaw has been discovered in Tenda AC15 15.03.05.18. Affected is an unknown function of the file /goform/saveAutoQos. Performing manipulation of the argument enable results in stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited.
AI Summary Analysis
Risk verdict
High risk: remote exploitation is feasible with network access and low-privilege prerequisites, and a public PoC is available.
Why this matters
The flaw enables memory corruption via a network-facing endpoint, potentially allowing full control of the affected device. Consequences include loss of confidentiality, integrity and availability, QoS manipulation, and potential lateral movement into connected networks.
Most likely attack path
An attacker with network access can trigger a stack-based overflow by manipulating the enable argument in the vulnerable endpoint, without user interaction and with only low privileges required. The issue is remote, multi-architectural (device-wide) and could lead to persistent code execution within the device’s context, with scope not escaping beyond the device but enabling subsequent network access to adjacent systems.
Who is most exposed
Consumer and small-office IoT routers or gateways that expose management endpoints to LAN or WAN are most at risk; devices used in home or small business networks with remote management enabled are typical exposure points.
Detection ideas
- Logs show crashes or reboots linked to the QoS management endpoint (/goform/saveAutoQos) after specific enable value inputs.
- Unusual memory-corruption/segmentation faults reported by device diagnostics or watchdogs.
- IDS/IPS alerts for anomalous requests to the QoS endpoint with crafted enable parameters.
- Sudden QoS configuration changes or device unresponsiveness following normal traffic.
- Increase in failed login/output anomalies on the device management interface.
Mitigation and prioritisation
- Patch as soon as a fixed firmware version is available; apply vendor guidance promptly.
- If patching is not yet possible, disable or limit remote management access; restrict management interfaces to trusted networks.
- Implement network segmentation and firewall rules to isolate IoT devices from sensitive assets.
- Monitor for QoS endpoint activity, memory faults, and device reboots; collect crash dumps if possible.
- Plan a staged change management and validation in a test environment before wider rollout.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
