CVE Alert: CVE-2025-10815 – Tenda – AC20
CVE-2025-10815
A vulnerability was identified in Tenda AC20 up to 16.03.08.12. Affected by this issue is the function strcpy of the file /goform/SetPptpServerCfg of the component HTTP POST Request Handler. Such manipulation of the argument startIp leads to buffer overflow. The attack can be launched remotely. The exploit is publicly available and might be used.
AI Summary Analysis
**Risk verdict**: High risk with remote code execution potential; exploit publicly available and demonstrably workable on affected firmware.
**Why this matters**: Consumer/SMB routers like the AC20 sit at a critical network edge; a buffer overflow in a remote HTTP endpoint can yield full device takeover, allowing pivot to internal networks or VPN traffic. Widespread deployment means a large footprint of vulnerable devices, increasing likelihood of mass exploitation or targeted campaigns.
**Most likely attack path**: Attacker needs network access and a low-privilege credential (PR:L), with no user interaction required (UI:N). The attacker sends crafted input to the HTTP POST handler /goform/SetPptpServerCfg, triggering a strcpy-based overflow. Successful exploitation yields memory corruption and full control, given high impact on confidentiality, integrity and availability. Scope remains unchanged, so the attacker can abuse the compromised device within the original security domain.
**Who is most exposed**: Predominantly consumer and SMB deployments of Tenda AC20 in home/office networks, especially where devices are publicly accessible or exposed via WAN management or misconfigured port forwarding.
**Detection ideas**:
- Monitor for unusual HTTP POSTs to /goform/SetPptpServerCfg with abnormal startIp values.
- Look for crashes, memory spikes, or reboots following such requests.
- IDS/IPS signatures or IOCs tied to public PoC indicators and the known endpoint.
- Unexplained VPN service changes or new PPTP-related artefacts in config or process lists.
**Mitigation and prioritisation**:
- Apply the latest firmware patch (16.03.08.12 or later) from the vendor; treat as high priority for affected units.
- If patching immediate remediation is not possible, disable WAN-facing management and restrict admin UI access to trusted networks; enforce strict access controls.
- Block or heavily monitor the specific POST path and reduce exposure of the HTTP interface to the Internet; enable automatic firmware updates where feasible.
- Validate configurations for PPTP-related services and audit for unexpected changes post-incident.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
