CVE-2025-14993

HighPublic PoC

Published: 21 December 2025

Published

21 December 2025

Modified

31 December 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0014 34.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was detected in Tenda AC18 15.03.05.05. This affects the function sprintf of the file /goform/SetDlnaCfg of the component HTTP Request Handler. The manipulation of the argument scanList results in stack-based buffer overflow. The attack can be executed remotely.…

The exploit is now public and may be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of the scanList argument in HTTP requests to prevent stack-based buffer overflows from oversized or malformed inputs.

SI-16 Memory Protection good match

prevent

Implements memory protections such as stack canaries, ASLR, and DEP to mitigate exploitation of stack-based buffer overflows even if input validation fails.

SI-2 Flaw Remediation good match

prevent

Mandates timely remediation of the specific buffer overflow flaw in the sprintf function of the SetDlnaCfg handler to eliminate the vulnerability.

Security SummaryAI

CVE-2025-14993 is a stack-based buffer overflow vulnerability affecting Tenda AC18 routers running firmware version 15.03.05.05. The issue resides in the sprintf function within the /goform/SetDlnaCfg file of the HTTP Request Handler component, where manipulation of the scanList argument triggers the overflow. Published on 2025-12-21, it is associated with CWE-119 and CWE-121, earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An attacker with low privileges can exploit this vulnerability remotely without user interaction. By sending a crafted HTTP request to the vulnerable endpoint, the manipulator of the scanList argument can overflow the stack, potentially achieving arbitrary code execution with high impacts on confidentiality, integrity, and availability.

Proof-of-concept exploits are publicly available on GitHub, including reproduction steps for the SetDlnaCfg buffer overflow. VulDB advisories (CTI ID 337687) document the issue and related submissions, though specific patch details are not outlined in the primary references.

Details

CWE(s): CWE-119 CWE-121

Affected Products

tenda

ac18 firmware

15.03.05.05

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Stack-based buffer overflow in the public-facing HTTP request handler (/goform/SetDlnaCfg) of the Tenda AC18 router enables remote exploitation of a public-facing web application for potential code execution.

References

https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_AC18/SetDlnaCfg/SetDlnaCfg.md
Exploit, Third Party Advisory · cna@vuldb.com
https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_AC18/SetDlnaCfg/SetDlnaCfg.md#reproduce
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.337687
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.337687
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.719084
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com