CVE-2025-11524

CVE-2025-11524 is a stack-based buffer overflow vulnerability in Tenda AC7 router firmware version 15.03.06.44. The flaw affects the processing of the /goform/SetDDNSCfg file, where manipulation of the ddnsEn argument triggers the overflow. Published on 2025-10-09, it is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network with low complexity by an attacker possessing low privileges, such as an authenticated user, and without requiring user interaction. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, potentially enabling arbitrary code execution, data compromise, or denial of service.

Advisories from VulDB (ctiid.327662, id.327662, submit.669852) document the issue, and a proof-of-concept exploit has been published on GitHub at https://github.com/noahze01/IoT-vulnerable/blob/main/Tenda/AC7/SetDDNSCfg.md, which may be used by attackers. The Tenda website (https://www.tenda.com.cn/) is referenced, but no specific patch or mitigation details are provided in the available information.

The published exploit heightens the risk of real-world exploitation against unpatched Tenda AC7 devices.