CVE-2025-11356
Published: 07 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-11356 is a buffer overflow vulnerability affecting Tenda AC23 routers up to version 16.03.07.52. The issue resides in the sscanf function of the /goform/SetStaticRouteCfg file, where manipulation of the argument list triggers the overflow. Classified under CWE-119 and CWE-120, it was published on 2025-10-07 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker with low privileges (PR:L) can exploit this remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction required (UI:N). Successful exploitation grants high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing arbitrary code execution or denial of service. A public exploit is available and could be used.
Advisories from VulDB (e.g., https://vuldb.com/?id.327241) and a GitHub repository (https://github.com/cymiao1978/cve/blob/main/12.md) detail the vulnerability; the Tenda vendor site (https://www.tenda.com.cn/) may provide patches or further guidance.
The public availability of an exploit raises concerns for real-world exploitation against unpatched Tenda AC23 devices.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Buffer overflow in the publicly accessible web interface (/goform/SetStaticRouteCfg) of Tenda AC23 router enables remote code execution or denial of service via exploitation of a public-facing application.