CVE Alert: CVE-2025-10838 - Tenda - AC21

CVE-2025-10838

HIGHNo exploitation known

A vulnerability was identified in Tenda AC21 16.03.08.16. The affected element is the function sub_45BB10 of the file /goform/WifiExtraSet. The manipulation of the argument wpapsk_crypto leads to buffer overflow. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.

CVSS v3.1 (8.8)

Vendor

Tenda

Product

AC21

Versions

16.03.08.16

CWE

CWE-120, Buffer Overflow

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R

Published

2025-09-23T04:32:07.071Z

Updated

2025-09-23T04:32:07.071Z

References

https://vuldb.com/?id.325200

https://vuldb.com/?ctiid.325200

https://vuldb.com/?submit.657126

https://github.com/lin-3-start/lin-cve/blob/main/Tenda%20AC21/Tenda%20AC21%20Buffer%20overflow.md

https://github.com/lin-3-start/lin-cve/blob/main/Tenda%20AC21/Tenda%20AC21%20Buffer%20overflow.md#poc

https://www.tenda.com.cn/

AI Summary Analysis

Risk verdict

High risk of remote code execution on affected Tenda AC21 devices, with a publicly available exploit and no user interaction required.

Why this matters

An attacker could take full control of the router, exfiltrate credentials, or pivot to devices on the LAN, potentially compromising other networked systems. Service disruption or configuration manipulation could undermine both privacy and business operations, especially in small offices or home deployments relying on this device.

Most likely attack path

Remote network access is sufficient (no user interaction, low attack complexity, low privileges required). The attacker can trigger a buffer overflow via wpapsk_crypto in WifiExtraSet, gaining code execution on the device. Because the scope is the device itself, immediate impact includes device compromise and potential explicit access to adjacent network resources.

Who is most exposed

Primarily consumer and SMB networks using the AC21 with WAN-facing management exposed. Environments where the router sits at the network perimeter or is directly accessible from the internet are at greater risk.

Detection ideas

Logs showing unusual activity targeting /goform/WifiExtraSet or wpapsk_crypto payloads.
Crashes or watchdog resets tied to WiFi configuration requests.
Anomalous traffic patterns to the device’s management interfaces.
Repeated failed or successful exploit-like connection attempts from external sources.
Memory corruption indicators in device diagnostics or remote crash reports.

Mitigation and prioritisation

Apply the vendor patch to 16.03.08.16 or newer as a priority.
If patching is delayed, disable or restrict WAN-side administration; implement tight firewall rules to limit management access.
Isolate affected devices from sensitive segments and monitor for post-exploit activity.
Consider temporary mitigations such as disabling WifiExtraSet functions or hardening wpapsk_crypto handling where feasible.
Change-management: track patch uptake and verify firmware integrity after update.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: ac21, CVE, cve-2025-10838, OSINT, tenda, threatintel