CVE-2025-14654

HighPublic PoC

Published: 14 December 2025

Published

14 December 2025

Modified

19 December 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0019 40.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was identified in Tenda AC20 16.03.08.12. The affected element is the function formSetPPTPUserList of the file /goform/setPptpUserList of the component httpd. Such manipulation of the argument list leads to stack-based buffer overflow. The attack can be executed remotely.…

The exploit is publicly available and might be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of inputs to the formSetPPTPUserList function to directly prevent stack-based buffer overflows from manipulated argument lists.

SI-2 Flaw Remediation good match

preventrecover

Mandates timely flaw remediation by applying firmware patches to eliminate the buffer overflow vulnerability in Tenda AC20 httpd.

SI-16 Memory Protection good match

prevent

Implements memory protections such as stack canaries, ASLR, and non-executable memory to mitigate exploitation of the stack-based buffer overflow.

Security SummaryAI

CVE-2025-14654 is a stack-based buffer overflow vulnerability affecting Tenda AC20 routers running firmware version 16.03.08.12. The flaw resides in the formSetPPTPUserList function within the /goform/setPptpUserList file of the httpd component. Manipulation of the argument list triggers the overflow, as documented in the CVE published on 2025-12-14. It is associated with CWEs 119, 121, and 787.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Remote attackers with low privileges can exploit it without user interaction, potentially achieving high impacts on confidentiality, integrity, and availability, such as arbitrary code execution.

Advisories on VulDB (ctiid.336387, id.336387, submit.712899) detail the issue, while a GitHub repository at https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/Tenda/VULN12/AC20_SetPptpUserList.md provides a publicly available exploit that might be used. The Tenda website (https://www.tenda.com.cn/) is referenced, but no specific patches or mitigations are outlined in the available information.

The exploit's public availability increases the risk of real-world exploitation against unpatched Tenda AC20 devices.

Details

CWE(s): CWE-119 CWE-121 CWE-787

Affected Products

tenda

ac20 firmware

16.03.08.12

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Remote stack-based buffer overflow in Tenda AC20 router's public-facing httpd web interface (/goform/setPptpUserList) enables exploitation for initial access (T1190/T1210) and denial-of-service via application crash (T1499.004); PoC supports RCE/DoS.

References

https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/Tenda/VULN12/AC20_SetPptpUserList.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.336387
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.336387
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.712899
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com