CVE Alert: CVE-2025-10120 – Tenda – AC20

Risk verdict

High risk of remote code execution due to a buffer overflow in a network service; exploit is publicly available.

Why this matters

An unauthenticated remote exploit with high impact could allow attackers to take control of the device, exfiltrate data, or disrupt network services. Widespread exploitation could enable rapid, mass compromise across consumer and small business networks if unpatched.

Most likely attack path

Attackers can trigger the overflow by sending crafted input to the affected endpoint over the network, without user interaction. The vulnerability requires network access and low privileges, enabling remote compromise with high consequences and potential lateral movement within adjacent devices or connected hosts.

Who is most exposed

Common in consumer and SMB router deployments, especially where WAN management interfaces are exposed or not properly secured. Environments with delayed firmware updates or default/publicly reachable admin interfaces are particularly at risk.

Detection ideas

• Logs showing anomalous requests to the GetParentControlInfo endpoint with oversized mac parameters
• Crashes/reboots or memory corruption indicators following remote probes
• IDS/IPS alerts or signatures for the public PoC/exploit patterns
• Unusual activity on administrative interfaces or unexpected device reboots from external IPs

Mitigation and prioritisation

• Apply the supplier’s latest firmware as soon as available; verify the fix is active.
• Disable remote management or restrict admin access to trusted networks; implement strict ACLs.
• Isolate affected devices on dedicated segments; enforce firewall rules blocking suspicious input to the vulnerable path.
• Enable robust logging, monitor for exploitation indicators, and test patches in a staging environment before rollout.
• If KEV is true or EPSS ≥ 0.5 (data not provided here), treat as priority 1. Otherwise, escalate to high priority with a defined patch window and rollback plan.