CVE-2025-22946

CVE-2025-22946 is a stack overflow vulnerability in the Tenda AC9 v1.0 router running firmware version v15.03.05.19. The flaw occurs in the /goform/SetOnlineDevName web endpoint due to improper input handling, such as unsafe use of sprintf, which can lead to remote arbitrary code execution. Published on 2025-01-10, it is associated with CWE-120 (Buffer Copy without Checking Size of Input) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

Remote attackers with network access can exploit this vulnerability without authentication or user interaction. By sending a specially crafted HTTP request to the /goform/SetOnlineDevName endpoint, an attacker triggers the stack overflow, enabling arbitrary code execution on the device. Successful exploitation grants full control over the router, potentially allowing attackers to pivot within the network, steal data, or disrupt services.

Mitigation details and technical analysis are available in the referenced advisory at https://noisy-caravel-a9a.notion.site/Tenda_AC9V1-0_V15-03-05-19_formSetDeviceName_sprintf_bof-16f898c94eac8057afcbceb63fda7d24. No vendor patches or additional official advisories are specified in the CVE data.