CVE Alert: CVE-2025-11586 - Tenda - AC7

CVE-2025-11586

HIGHNo exploitation known

A vulnerability was determined in Tenda AC7 15.03.06.44. This affects an unknown function of the file /goform/setNotUpgrade. This manipulation of the argument newVersion causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.

CVSS v3.1 (8.8)

Vendor

Tenda

Product

AC7

Versions

15.03.06.44

CWE

CWE-121, Stack-based Buffer Overflow

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R

Published

2025-10-10T21:02:10.890Z

Updated

2025-10-10T21:02:10.890Z

References

https://vuldb.com/?id.327908

https://vuldb.com/?ctiid.327908

https://vuldb.com/?submit.671597

https://github.com/noahze01/IoT-vulnerable/blob/main/Tenda/AC7/setNotUpgrade.md

https://github.com/noahze01/IoT-vulnerable/blob/main/Tenda/AC7/setNotUpgrade.md#exploit

https://www.tenda.com.cn/

AI Summary Analysis

Risk verdict

High risk: remote code execution is feasible with a publicly disclosed exploit, so remediation should be urgent.

Why this matters

The device acts as a network perimeter/mesh gateway in many SMB and consumer deployments. An attacker gaining control can disable security features, exfiltrate or tamper traffic, or pivot to adjacent hosts. The strong impact on confidentiality, integrity and availability means a successful exploit could disrupt operations and erode trust in network security.

Most likely attack path

Exploitation requires network access and limited privileges, with no user interaction. An attacker could probe for vulnerable Tenda AC7 devices, then send crafted input to /goform/setNotUpgrade to overflow the stack, achieving remote code execution. Once foothold is gained, attacker could persist within the device and attempt lateral movement within the local network, given exposed management interfaces or poor segmentation.

Who is most exposed

Devices deployed with WAN-facing management interfaces or exposed IoT routers in small business and home environments are most at risk. Legacy firmware 15.03.06.44 on Tenda AC7 is the primary exposure; devices left on default or poorly segmented networks are prime targets.

Detection ideas

Unexplained device reboots or crashes, memory corruption indicators in logs.
Anomalous traffic to the management endpoint /goform/setNotUpgrade; large or malformed payloads in newVersion fields.
Unusual outbound connections or process launches on the device after a failed or successful attempt.
Signature or IOC hits in SOC/IDS for related exploit patterns.
Firmware upgrade failures or rollback events tied to this CVE.

Mitigation and prioritisation

Apply vendor patch to update firmware to a non-vulnerable release; verify compliance.
If patching is delayed, disable or tightly restrict WAN management, and enforce network segmentation for IoT devices.
Implement strict input validation on management endpoints and rate-limit upgrade requests.
Monitor for indicators of compromise and deploy host/workload-based anomaly detection around the device.
Change-management: schedule firmware update windows, test in a staging segment, and confirm rollback procedures.
If KEV is confirmed or EPSS ≥ 0.5, treat as priority 1.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: ac7, CVE, cve-2025-11586, OSINT, tenda, threatintel