CVE Alert: CVE-2025-12611 - Tenda - AC21

CVE-2025-12611

HIGHNo exploitation known

A vulnerability was identified in Tenda AC21 16.03.08.16. This vulnerability affects the function formSetPPTPServer of the file /goform/SetPptpServerCfg. The manipulation of the argument startIp leads to buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.

CVSS v3.1 (8.8)

Vendor

Tenda

Product

AC21

Versions

16.03.08.16

CWE

CWE-120, Buffer Overflow

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R

Published

2025-11-03T02:02:09.734Z

Updated

2025-11-03T02:02:09.734Z

References

https://vuldb.com/?id.330906

https://vuldb.com/?ctiid.330906

https://vuldb.com/?submit.678491

https://github.com/LX-LX88/cve/issues/10

https://www.tenda.com.cn/

AI Summary Analysis

**Risk verdict** High risk: network-exposed buffer overflow with remote code execution potential; publicly available exploit increases urgency.

**Why this matters** The vulnerability grants high-impact access to confidentiality, integrity and availability with no user interaction required, and a PoC is publicly available. Compromise of a gateway device could enable VPN abuse, traffic interception, or pivot into internal networks, affecting both home and small business environments.

**Most likely attack path** An unauthenticated or minimally authenticated attacker can target the PPTP server configuration endpoint over the network, sending crafted data (startIp) to trigger memory corruption. The low-privilege requirement and network reachability mean exploitation could be attempted remotely, potentially yielding full device compromise and subsequent lateral movement within the local network.

**Who is most exposed** Commonly deployed consumer and small-office routers with PPTP server features are at risk, especially when management interfaces or VPN endpoints are reachable from the internet or poorly protected on LAN segments.

Detection ideas

Look for unusual or malformed requests to the PPTP server config endpoint, especially with abnormal startIp payloads.
Monitor for device crashes, reboot events, or memory corruption logs tied to the affected path.
IDS/IPS signatures or behavioural alerts for attempts to trigger the /goform/SetPptpServerCfg endpoint.
Unusual spikes in VPN connection attempts or VPN service restarts.

Mitigation and prioritisation

Apply vendor-provided firmware patch or upgrade to a non-affected release as a top priority.
If patching is delayed, disable the PPTP server feature or restrict access to trusted networks only; apply strict ACLs to management interfaces.
Segregate VPN endpoints from untrusted networks; replace PPTP with modern TLS/IPsec-based VPN where feasible.
Initiate a change-management window for firmware upgrades; test in a controlled environment before broad rollout.
Ensure monitoring and logging of VPN-related configuration changes post-patch.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: ac21, CVE, cve-2025-12611, OSINT, tenda, threatintel