CVE Alert: CVE-2025-11327 – Tenda – AC18

Risk verdict

High risk: remote, unauthenticated code execution via SetUpnpCfg with a publicly disclosed exploit path; PoC exists and devices are exposed to the network, warranting urgent attention.

Why this matters

An attacker could take full control of the device, exfiltrate data or disrupt services, and potentially pivot to adjacent devices on the LAN. IoT routers with UPnP enabled are commonly exposed and patching velocity is often slow, increasing exposure over time.

Most likely attack path

An attacker over the network can trigger a stack-based overflow by sending crafted data to upnpEn, causing memory corruption with high impact. No user interaction is required, and the vulnerability is local-privilege efficient (low privilege needed) but network-accessible; exploitation does not automatically broaden scope but does cause device compromise.

Who is most exposed

Home and small business routers with UPnP enabled and WAN-facing interfaces are at highest risk; deployments with internet-connected management or exposed UPnP services are typical patterns.

Detection ideas

• Alarms for attempts to /goform/SetUpnpCfg with anomalous upnpEn values
• Large or unexpected payloads in UPnP configuration requests
• Crashes, reboots, or memory-corruption indicators in device logs
• Public-exploit–signature matches or unusual behavioural changes post-request
• External scans targeting UPnP services on consumer routers

Mitigation and prioritisation

• Apply firmware patch to fixed release (e.g., 15.03.05.19(6318)) or later; verify deployment across affected devices.
• If patching delays exist: disable UPnP on WAN, restrict remote/management access, or block the SetUpnpCfg endpoint; segment IoT devices from sensitive networks.
• Regularly audit UPnP usage and inventory exposed devices; enable logging and anomaly detection.
• Treat as priority 1 if KEV is present or EPSS ≥ 0.5; otherwise prioritise as high and monitor for exploitation activity.