CVE-2025-11388

CVE-2025-11388 is a stack-based buffer overflow vulnerability affecting Tenda AC15 routers running firmware version 15.03.05.18. The issue resides in an unknown function within the /goform/setNotUpgrade endpoint, where improper handling of the newVersion argument allows overflow conditions. This flaw, linked to CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), was published on 2025-10-07 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity.

Remote attackers with low privileges can exploit this vulnerability by manipulating the newVersion parameter in requests to the affected endpoint, potentially leading to arbitrary code execution, data compromise, or denial of service. The low attack complexity and lack of user interaction requirements make it accessible to authenticated users over the network, enabling high impacts on confidentiality, integrity, and availability.

Advisories from VulDB detail the vulnerability and reference a publicly available exploit on GitHub at https://github.com/noahze01/IoT-vulnerable/blob/main/Tenda/AC15/setNotUpgrade.md, which demonstrates the buffer overflow. The vendor's site at https://www.tenda.com.cn/ is listed, though no specific patches or mitigations are detailed in the provided references.

Notable context includes the public availability of the exploit, increasing the risk of real-world abuse against unpatched Tenda AC15 devices.