CVE-2025-10432 is a critical security vulnerability identified in the Tenda AC1206 router, specifically in firmware version 15.03.06.23. The flaw exists in the HTTP Request Handler component, within the function check_param_changed located in the /goform/AdvSetMacMtuWa endpoint. The vulnerability arises from improper handling of the wanMTU parameter, which allows an attacker to perform a stack-based buffer overflow. This type of overflow occurs when data exceeding the buffer's boundary is written onto the stack, potentially overwriting control data such as return addresses. The vulnerability is remotely exploitable without requiring authentication or user interaction, as the HTTP endpoint is accessible over the network. The publicly available exploit code increases the risk of exploitation by threat actors. The CVSS v4.0 score of 9.3 (critical) reflects the high impact on confidentiality, integrity, and availability, with an attack vector that is network-based and requires no privileges or user interaction. Successful exploitation could allow an attacker to execute arbitrary code on the router, leading to full compromise of the device. This could enable attackers to intercept or manipulate network traffic, pivot to internal networks, or disrupt network availability. The absence of an official patch at the time of disclosure further exacerbates the risk.

For European organizations, this vulnerability poses a significant risk, especially for those relying on Tenda AC1206 routers in their network infrastructure. Compromise of these routers can lead to interception of sensitive communications, unauthorized network access, and potential lateral movement within corporate networks. Given the router’s role as a gateway device, attackers could manipulate routing, DNS settings, or inject malicious payloads into network traffic, impacting confidentiality and integrity of data. Availability could also be affected if the device is crashed or rendered inoperable. Organizations in sectors with high data sensitivity such as finance, healthcare, and critical infrastructure are particularly vulnerable. Additionally, small and medium enterprises (SMEs) that often use consumer-grade routers like the Tenda AC1206 may lack robust network segmentation, increasing exposure. The public availability of exploit code means that even less sophisticated attackers could attempt exploitation, raising the urgency for mitigation. The vulnerability also has implications for home users working remotely, potentially exposing corporate VPNs or remote access solutions connected behind vulnerable routers.

Immediate mitigation steps include isolating the affected Tenda AC1206 devices from critical network segments and restricting access to the HTTP management interface from untrusted networks. Network administrators should implement strict firewall rules to block external access to the /goform/AdvSetMacMtuWa endpoint or the router’s management interface entirely. Monitoring network traffic for unusual requests targeting the wanMTU parameter can help detect exploitation attempts. Employing network intrusion detection systems (NIDS) with updated signatures for this CVE is advisable. Organizations should contact Tenda for firmware updates or patches and apply them as soon as they become available. In the absence of patches, consider replacing vulnerable devices with more secure alternatives. Additionally, enforcing network segmentation to limit the router’s exposure and using VPNs or secure tunnels for remote management can reduce risk. Regularly auditing router configurations and disabling unnecessary services or endpoints will further harden the device. Finally, educating IT staff about this vulnerability and ensuring incident response plans include steps for router compromise scenarios is critical.