CVE Alert: CVE-2025-11328 – Tenda – AC18

Risk verdict

High risk with public PoC availability and remote code execution potential; no explicit KEV/EPSS data, but exploitability is credible.

Why this matters

Exposed home and small-business routers commonly connect these devices directly to the internet, so an attacker could take control, alter DNS settings, or pivot to other devices on the LAN. A successful exploit could disrupt connectivity, expose internal traffic, or serve as a foothold for broader network compromise.

Most likely attack path

Remote attacker crafts a request to /goform/SetDDNSCfg with manipulated ddnsEn, triggering a stack-based overflow. With AV:N, AC:L, PR:L and no UI required, the attacker can achieve code execution on the device without user interaction, potentially gaining full control and high impact on availability and integrity.

Who is most exposed

Primarily consumer and small-office Tenda AC18 devices in deployments where WAN management or remote access is enabled; devices left with exposed management interfaces or default network topologies are at greater risk.

Detection ideas

• Look for anomalous requests to /goform/SetDDNSCfg carrying non-standard ddnsEn values.
• Monitor for device crashes or restarts and memory-corruption related logs.
• Alert on unexpected DNS configuration changes or new processes spawned on the device.
• Identify copies of exploit/Poc indicators in network detection systems or threat intel feeds.

Mitigation and prioritisation

• Upgrade all affected devices to firmware version 15.03.05.19(6318) or newer; verify deployment.
• Disable or tightly restrict WAN/remote management; enforce management access only from trusted networks.
• Block or strictly filter access to /goform/SetDDNSCfg; apply firewall rules at network edge.
• Enable strict logging and IOC monitoring; apply IDS/IPS rules for known exploit patterns.
• Plan a change window for mass remediation and verify post-patch stability.

Note: if KEV is true or EPSS ≥ 0.5, treat as priority 1.