CVE-2025-11586
Published: 10 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-11586 is a stack-based buffer overflow vulnerability affecting the Tenda AC7 router version 15.03.06.44. The issue resides in an unknown function of the /goform/setNotUpgrade file, where manipulation of the newVersion argument triggers the overflow. Associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), it was published on 2025-10-10 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Remote attackers with low privileges can exploit this vulnerability without user interaction. By sending crafted requests to the vulnerable endpoint, they can trigger the buffer overflow, potentially achieving high impacts on confidentiality, integrity, and availability, such as arbitrary code execution on the device.
References include GitHub details on the vulnerability and a proof-of-concept exploit, along with VulDB entries (ctiid.327908, id.327908, submit.671597). No vendor patches or specific mitigation guidance from advisories are detailed in the provided information, though the public disclosure of the exploit heightens the risk of real-world attacks.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stack-based buffer overflow in the public-facing web management interface (/goform/setNotUpgrade) of Tenda AC7 router enables remote code execution without authentication.