CVE-2025-29386

CVE-2025-29386 is a stack overflow vulnerability (CWE-787) affecting the Tenda AC9 v1.0 router on firmware version V15.03.05.14_multi. The issue resides in the "mac" parameter of the /goform/AdvSetMacMtuWan web endpoint, where insufficient bounds checking allows a stack buffer overflow. This flaw enables remote arbitrary code execution and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.

The vulnerability is exploitable by unauthenticated remote attackers with network access to the router's web interface. No privileges, user interaction, or special conditions are required, allowing low-complexity attacks via crafted HTTP requests targeting the vulnerable parameter. Successful exploitation grants attackers arbitrary code execution on the device, with high impacts on confidentiality, integrity, and availability, potentially leading to full router compromise.

Mitigation details are not specified in the CVE publication, published on 2025-03-14. Security practitioners should consult the referenced GitHub advisory at https://github.com/shuqi233/loophole/blob/main/Tenda%20AC9/AdvSetMacMtuWan4.md for technical analysis and potential workarounds, while isolating affected devices and monitoring for unusual traffic to the endpoint.