CVE Alert: CVE-2025-11527 - Tenda - AC7

CVE-2025-11527

HIGHNo exploitation known

A vulnerability was determined in Tenda AC7 15.03.06.44. The impacted element is an unknown function of the file /goform/fast_setting_pppoe_set. Executing manipulation of the argument Password can lead to stack-based buffer overflow. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.

CVSS v3.1 (8.8)

Vendor

Tenda

Product

AC7

Versions

15.03.06.44

CWE

CWE-121, Stack-based Buffer Overflow

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R

Published

2025-10-09T02:32:13.681Z

Updated

2025-10-09T02:32:13.681Z

References

https://vuldb.com/?id.327665

https://vuldb.com/?ctiid.327665

https://vuldb.com/?submit.669856

https://github.com/noahze01/IoT-vulnerable/blob/main/Tenda/AC7/fast_setting_pppoe_set.md

https://www.tenda.com.cn/

AI Summary Analysis

Risk verdict

High risk of remote code execution on Tenda AC7 due to a stack-based overflow in fast_setting_pppoe_set; exploit is publicly disclosed, making weaponisation likely. KEV/EPSS indicators are not provided in the data.

Why this matters

A successful exploit could give an attacker full control of the device, including firmware modification and network access. In consumer and SMB deployments, exposed management interfaces often sit at the network edge, enabling lateral movement into connected devices or interception of traffic.

Most likely attack path

Remote attacker, with network access, can send crafted input to /goform/fast_setting_pppoe_set, abusing an unauthorised Password argument to trigger a buffer overflow. The CVSS metrics imply no user interaction, low access complexity but requiring local privileges to modify the password field, and high impact across confidentiality, integrity and availability. With PoC public, reconciliation to arbitrary code execution and persistence is plausible, enabling rapid device compromise and potential network pivot.

Who is most exposed

Typical exposure applies to consumer/ISP-supplied routers and small office devices that expose management endpoints over the internet or poorly protected WAN interfaces. Environments using default or weak credentials plus remote management enabled are especially at risk.

Detection ideas

Crashes or restarts of the management process on Tenda AC7.
Logs showing anomalous/large Password payloads targeting /goform/fast_setting_pppoe_set.
Unusual CPU/memory spikes or stack traces in device diagnostics.
External probes targeting management endpoints, especially from unauthorised sources.
Unexpected firmware dumps or process anomalies after handling specific requests.

Mitigation and prioritisation

Apply the latest firmware from the vendor with the fix; verify update succeeds.
Disable remote management or restrict access to trusted networks; enforce strong access controls.
Place affected devices behind network segmentation; limit exposure to the internet.
Monitor management interfaces for anomalous payloads and block suspicious IPs; enable IDS/IPS rules if available.
Schedule and test patches during maintenance windows; document changes and rollback plan.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: ac7, CVE, cve-2025-11527, OSINT, tenda, threatintel