CVE Alert: CVE-2025-12225 - Tenda - AC6

CVE-2025-12225

HIGHNo exploitation known

A vulnerability has been found in Tenda AC6 15.03.06.50. This issue affects some unknown processing of the file /goform/WifiGuestSet of the component HTTP Request Handler. Such manipulation of the argument shareSpeed leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

CVSS v3.1 (8.8)

Vendor

Tenda

Product

AC6

Versions

15.03.06.50

CWE

CWE-121, Stack-based Buffer Overflow

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R

Published

2025-10-27T05:02:06.747Z

Updated

2025-10-27T05:02:06.747Z

References

https://vuldb.com/?id.329895

https://vuldb.com/?ctiid.329895

https://vuldb.com/?submit.673547

https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda/WifiGuestSet/WifiGuestSet.md

https://www.tenda.com.cn/

AI Summary Analysis

Risk verdict

High risk of remote code execution on Tenda AC6 via the WifiGuestSet stack overflow; public PoC available and advisory indicates active exploitation risk—patch prioritisation recommended.

Why this matters

The vulnerability yields full control over the device (C/H I/H A/H). In networked deployments, an attacker could reliably compromise the router, exfiltrate data, or pivot to the LAN, with impact on confidentiality, integrity and availability.

Most likely attack path

An attacker with network access and low-privilege credentials can target the HTTP endpoint /goform/WifiGuestSet, supply a crafted shareSpeed value, trigger a stack-based overflow and gain code execution. No user interaction is required; PoC exists and public disclosure increases likelihood of widespread attempts. Exploitation could then enable sustained access or device takeover.

Who is most exposed

Common in consumer/home and small-business networks using Tenda AC6 devices; any deployment with WAN-facing management interfaces or weak credentials elevates risk. Organisations onboarding such devices or exposed remote management are particularly vulnerable.

Detection ideas

Monitor for anomalous HTTP requests to /goform/WifiGuestSet with unusual shareSpeed payloads.
Look for crashes, reboots, or memory-corruption symptoms in device logs after targeted requests.
IDS/IPS signatures or PoC indicators tied to this CVE (signature-based indicators).
Unusual spikes in device CPU/memory or failed login attempts on web admin interfaces.

Mitigation and prioritisation

Apply vendor patch to affected firmware as soon as available; verify integrity before rollout.
If patching is delayed, disable WAN/remote management and restrict admin access to trusted networks; enforce strong credentials.
Deploy network segmentation or disable unnecessary HTTP endpoints on devices.
Monitor for PoC traffic and fast-track remediation if indicators appear.
Plan a staged firmware upgrade and perform post-deployment validation; document change control and rollback procedures.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: ac6, CVE, cve-2025-12225, OSINT, tenda, threatintel