CVE-2025-13258
Published: 17 November 2025
Description
A vulnerability was detected in Tenda AC20 up to 16.03.08.12. The impacted element is an unknown function of the file /goform/WifiExtraSet. The manipulation of the argument wpapsk_crypto results in buffer overflow. The attack can be launched remotely. The exploit is…
more
now public and may be used.
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely flaw remediation, directly mitigating this known buffer overflow by patching the Tenda AC20 firmware beyond version 16.03.08.12.
SI-10 enforces information input validation, preventing the buffer overflow triggered by manipulating the wpapsk_crypto argument in /goform/WifiExtraSet.
SI-16 implements memory protection mechanisms such as stack canaries or ASLR, directly countering exploitation of the buffer overflow vulnerability.
Security SummaryAI
CVE-2025-13258 is a buffer overflow vulnerability (CWE-119, CWE-120) in Tenda AC20 routers up to version 16.03.08.12. The flaw affects an unknown function within the /goform/WifiExtraSet file, where manipulation of the wpapsk_crypto argument triggers the overflow. Published on 2025-11-17, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The vulnerability enables remote exploitation by attackers with low privileges, requiring no user interaction. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, such as arbitrary code execution on the affected router.
References point to a public GitHub proof-of-concept exploit detailing the Tenda AC20 WifiExtraSet buffer overflow, along with VulDB entries (ctiid.332593, id.332593, submit.688716) providing further vulnerability information. The exploit is now public and may be used.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in the public-facing web endpoint /goform/WifiExtraSet allows remote exploitation for potential RCE or DoS on the Tenda AC20 router.