CVE-2025-11387

CVE-2025-11387 is a stack-based buffer overflow vulnerability affecting the Tenda AC15 router on firmware version 15.03.05.18. The flaw exists in an unknown function of the /goform/fast_setting_pppoe_set file, where manipulation of the Password argument triggers the overflow. It is classified under CWE-119 and CWE-121, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A remote attacker with low privileges, such as an authenticated user, can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation enables high-impact consequences, including unauthorized access to sensitive data, modification of system integrity, and denial of service, potentially leading to remote code execution via the buffer overflow.

Advisories note that the exploit has been publicly disclosed, with a proof-of-concept available at https://github.com/noahze01/IoT-vulnerable/blob/main/Tenda/AC15/fast_setting_pppoe_set.md. Additional details appear in VulDB entries at https://vuldb.com/?ctiid.327314, https://vuldb.com/?id.327314, and https://vuldb.com/?submit.664970. The vendor site is https://www.tenda.com.cn/, though no specific patch or mitigation guidance is detailed in the references.