CVE-2025-13446

HighPublic PoC

Published: 20 November 2025

Published

20 November 2025

Modified

21 November 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0044 63.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability has been found in Tenda AC21 16.03.08.16. This vulnerability affects unknown code of the file /goform/SetSysTimeCfg. The manipulation of the argument timeZone/time leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit…

has been disclosed to the public and may be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly validates manipulated timeZone/time arguments to prevent stack-based buffer overflow in /goform/SetSysTimeCfg.

SI-16 Memory Protection good match

prevent

Implements memory protections like stack canaries or DEP to block arbitrary code execution from the stack buffer overflow.

SI-2 Flaw Remediation good match

prevent

Requires timely flaw remediation via firmware patching for the publicly exploited buffer overflow in Tenda AC21 v16.03.08.16.

Security SummaryAI

CVE-2025-13446 is a stack-based buffer overflow vulnerability in Tenda AC21 firmware version 16.03.08.16. The flaw affects unknown code in the /goform/SetSysTimeCfg file, where manipulation of the timeZone or time arguments triggers the overflow. It is classified under CWE-119 and CWE-121, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote exploitation.

An attacker with low privileges can exploit this vulnerability remotely without user interaction. By sending crafted requests to the vulnerable endpoint, they can achieve high impacts on confidentiality, integrity, and availability, likely enabling arbitrary code execution on the affected device.

Exploit details have been publicly disclosed, as documented in advisories on VulDB (ctiid.333018, id.333018, submit.694425) and GitHub repositories at Madgeaaaaa/MY_VULN_2/blob/main/Tenda/VULN8.md and VULN9.md. The CVE was published on 2025-11-20, and these resources indicate the exploit may be actively used.

Details

CWE(s): CWE-119 CWE-121

Affected Products

tenda

ac21 firmware

16.03.08.16

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The stack-based buffer overflow vulnerability (CVE-2025-13446) in the Tenda AC21 router's public-facing web management interface (/goform/SetSysTimeCfg) enables remote unauthenticated exploitation for potential remote code execution.

References

https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/Tenda/VULN8.md
Exploit, Third Party Advisory · cna@vuldb.com
https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/Tenda/VULN9.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.333018
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.333018
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.694425
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.694430
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com
https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/Tenda/VULN8.md
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/Tenda/VULN9.md
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0