CVE-2025-15356

HighPublic PoC

Published: 30 December 2025

Published

30 December 2025

Modified

31 December 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0017 38.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability has been found in Tenda AC20 up to 16.03.08.12. The impacted element is the function sscanf of the file /goform/PowerSaveSet. The manipulation of the argument powerSavingEn/time/powerSaveDelay/ledCloseType leads to buffer overflow. The attack can be initiated remotely. The exploit…

has been disclosed to the public and may be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely identification, reporting, and correction of the buffer overflow flaw in the Tenda AC20 /goform/PowerSaveSet function via patches or updates.

SI-10 Information Input Validation good match

prevent

Implements validation and sanitization of user inputs like powerSavingEn, time, powerSaveDelay, and ledCloseType to prevent buffer overflows in the sscanf function.

SI-16 Memory Protection partial match

prevent

Deploys memory protection mechanisms such as stack canaries, ASLR, and DEP to mitigate exploitation of the buffer overflow even if inputs are malformed.

Security SummaryAI

CVE-2025-15356 is a buffer overflow vulnerability affecting Tenda AC20 routers up to version 16.03.08.12. The issue resides in the sscanf function within the /goform/PowerSaveSet file, where manipulation of arguments such as powerSavingEn, time, powerSaveDelay, or ledCloseType triggers the overflow. It is classified under CWE-119 and CWE-120, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

The vulnerability enables remote exploitation over the network with low attack complexity and requires only low privileges, such as a valid user account, without needing user interaction. Attackers can achieve high impacts across confidentiality, integrity, and availability, potentially leading to arbitrary code execution on the affected device.

Public references include proof-of-concept exploits disclosed on GitHub at repositories under xyh4ck/iot_poc, specifically detailing the Tenda AC20 buffer overflow, as well as entries on VulDB (ctiid.338742, id.338742, submit.726360). No vendor advisories or patches are specified in the available information.

The exploit has been publicly disclosed and may be used in the wild.

Details

CWE(s): CWE-119 CWE-120

Affected Products

tenda

ac20 firmware

≤ 16.03.08.12

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Buffer overflow in router web interface (/goform/PowerSaveSet) enables remote code execution via exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/xyh4ck/iot_poc/blob/main/Tenda%20AC20_Buffer_Overflow/Tenda%20AC20_Buffer_Overflow.md#poc
Exploit, Third Party Advisory · cna@vuldb.com
https://github.com/xyh4ck/iot_poc/tree/main/Tenda%20AC20_Buffer_Overflow
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.338742
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.338742
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.726360
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com