March 7 Advisory: Tenda AC7 Stacked-Based Buffer Overflow Vulnerability with PoC [CVE-2025-1851]
Date of Disclosure (source): February 22, 2025
CVE-2025-1851 is a high severity vulnerability affecting Tenda AC7 routers running firmware versions up to 15.03.06.44, with a CVSS score of 8.7. CVE-2025-1851 is a stack-based buffer overflow vulnerability within the formSetFirewallCfg function and allows a remote attacker to send a specially crafted payload to the router’s web interface.
Successful exploitation may allow an attacker to obtain a root shell on the device – however, based on the PoC, this appears to require authentication to the device to successfully exploit, which mitigates the potential impact. The assigned CVSS score of 8.7 seems relatively high given that authentication is needed to exploit.
Tenda AC7 is a wireless dual-band router designed for home and small business use (SOHO). During our analysis of this vulnerability, most of the exposed web portals we identified matched the image below. While we couldn’t confirm details regarding the models or versions of the devices, all appeared to be Tenda Routers.
At the time of writing, active exploitation of this vulnerability has not been observed. However, a proof of concept (PoC) is public on GitHub. The PoC demonstrates how an attacker can send a malicious POST request to the /goform/SetFirewallCfg endpoint, overflow the firewallEn parameter, and trigger a stack overflow leading to denial of service.
The PoC author also noted that because the stack overflow allows control of the program counter (PC) register, an altered payload could enable the attacker to obtain a persistent root shell on the device.
| Field | Details | |||||
|---|---|---|---|---|---|---|
| CVE-ID | CVE-2025-1851 – CVSS 8.7 (high) – assigned by VulDB | |||||
| Vulnerability Description | A stack-based buffer overflow vulnerability in the formSetFirewallCfg function of Tenda AC7 routers, potentially allowing root shell access through a crafted POST request sent to the /goform/SetFirewallCfg endpoint. | |||||
| Date of Disclosure | February 22, 2025 | |||||
| Affected Assets | formSetFirewallCfg function (/goform/SetFirewallCfg endpoint) of Tenda AC7 routers. | |||||
| Vulnerable Software Versions | Tenda AC7 firmware versions up to 15.03.06.44. | |||||
| PoC Available? | A PoC exploit is available on GitHub here. | |||||
| Exploitation Status | We did not observe this vulnerability on CISA’s list of known exploited vulnerabilities or in GreyNoise at the time of writing. | |||||
| Patch Status | No official patch is available at the time of writing. Users are advised to restrict access to the router’s web interface and apply any firmware updates from Tenda. | |||||
Censys Perspective
At the time of writing, Censys observed 14,049 exposed Tenda Router web login interfaces online. Note that these are not necessarily Tenda AC7 routers as specific model numbers were not exposed. This figure instead represents Tenda Routers with publicly accessible web interfaces.
Map of Exposed Tenda Routers:
services.software: (vendor= "Tenda" and product= "Router")
host.services.hardware: (vendor: "Tenda" and product: "Router")
host.services.software: (vendor= "Tenda" and product= "Router")
Note that these fingerprints were recently modified and results may take up to 24 hours to fully propagate.
