CVE Alert: CVE-2025-11526 – Tenda – AC7

Risk verdict

High risk: remote, unauthenticated code execution is possible and a public exploit exists.

Why this matters

An attacker could take full control of the device, exposing network traffic and enabling lateral movement to other hosts. The high impact on confidentiality, integrity and availability means device compromise could disrupt operations and broader network security.

Most likely attack path

Based on AV:N, AC:L, PR:L, UI:N, S:U with a PoC-exploitation state, an attacker can trigger the stack overflow over the network without user interaction. Successful exploitation yields code execution within the device with low privileges, but—given the high impact—could enable persistent access and network pivoting.

Who is most exposed

Commonly deployed in home and small business environments with Internet-facing or easily reachable admin interfaces; devices in IoT-heavy networks are particularly at risk when management ports are accessible from WAN or unsegmented LANs.

Detection ideas

• Unexplained device reboots or crashes with memory corruption symptoms.
• Logs or alerts showing attempts to access /goform/WifiMacFilterSet or overflow indicators.
• Suspicious network traffic patterns to/from the device’s management interface.
• Public PoC indicators or signature-like traffic from known exploit activity.
• Anomalous memory usage or core dumps tied to wifi_chkHz handling.

Mitigation and prioritisation

• Apply vendor firmware patch as soon as available; verify integrity before deployment.
• If patch is unavailable, disable or restrict remote management and WAN admin access; implement strict ACLs.
• Place affected devices on a segmented network with enforced egress filtering and monitor for anomalous activity.
• Expedite change-management and test patches in a lab before production rollout.
• If KEV is confirmed or EPSS score is ≥0.5, treat as priority 1. Note: data not shown here; confirm KEV/EPSS to adjust prioritisation.