CVE Alert: CVE-2025-11385 – Tenda – AC20

CVE-2025-11385

HIGHNo exploitation known

A vulnerability has been found in Tenda AC20 up to 16.03.08.12. The affected element is the function sscanf of the file /goform/fast_setting_wifi_set. The manipulation of the argument timeZone leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

CVSS v3.1 (8.8)
Vendor
Tenda
Product
AC20
Versions
16.03.08.0 | 16.03.08.1 | 16.03.08.2 | 16.03.08.3 | 16.03.08.4 | 16.03.08.5 | 16.03.08.6 | 16.03.08.7 | 16.03.08.8 | 16.03.08.9 | 16.03.08.10 | 16.03.08.11 | 16.03.08.12
CWE
CWE-120, Buffer Overflow
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R
Published
2025-10-07T09:32:06.697Z
Updated
2025-10-07T09:32:06.697Z

AI Summary Analysis

Risk verdict

High risk: public PoC exists and the issue enables remote code execution without user interaction; urgency is warranted.

Why this matters

An attacker can remotely take control of the device and alter networking behaviour, potentially exfiltrating data or steering traffic. With high impact on confidentiality, integrity and availability, the router could become a persistent foothold for further network intrusion, botnets, or lateral movement.

Most likely attack path

Remote attacker with network access can craft a malicious timeZone value to overflow the sscanf buffer in /goform/fast_setting_wifi_set, triggering memory corruption and code execution. Exploitation does not require user action and benefits from low privileges, enabling persistence and broader device compromise. Lateral movement would be limited to the compromised router’s capabilities but could disrupt protections and expose internal clients.

Who is most exposed

Commonly deployed in homes and small offices; devices may be exposed to the internet via misconfigured WAN access or weak remote-management controls. Patch uptake on consumer routers is often slow, increasing exposure across many networks.

Detection ideas

  • Look for spikes in requests to /goform/fast_setting_wifi_set with unusual or oversized timeZone parameters.
  • Monitor for router reboots or crashes tied to remote requests.
  • IDS/IPS signatures or logs indicating attempts to trigger the specific fast_setting_wifi_set path.
  • Unusual DNS or routing changes following such requests.

Mitigation and prioritisation

  • Apply the latest firmware from Tenda or follow official security advisories; prioritise patching.
  • If patching is delayed, disable or tightly restrict remote management (WAN access), and block the affected endpoint from internet exposure.
  • Enforce network segmentation and monitor for post-exploit traffic or DNS anomalies.
  • Review change-management and deploy during a maintenance window.
  • Note: KEV presence or EPSS score are not provided; if KEV is true or EPSS ≥ 0.5, treat as priority 1. If those indicators are later disclosed, adjust urgency accordingly.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

To keep up to date follow us on the below channels.