CVE-2025-11091 is a high-severity remote buffer overflow vulnerability affecting the Tenda AC21 router firmware versions up to 16.03.08.16. The flaw exists in the sscanf function within the /goform/SetStaticRouteCfg endpoint. Specifically, improper handling and manipulation of the argument list passed to sscanf leads to a buffer overflow condition. This vulnerability can be exploited remotely without authentication or user interaction, allowing an attacker to send specially crafted requests to the affected endpoint. Successful exploitation could enable arbitrary code execution or cause denial of service by crashing the device. Given the nature of the vulnerability, it compromises the confidentiality, integrity, and availability of the router. The CVSS 4.0 base score is 8.7 (high), reflecting the network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. Although no public exploit is currently known in the wild, a proof-of-concept exploit has been released publicly, increasing the risk of active exploitation. The vulnerability affects all firmware versions from 16.03.08.0 through 16.03.08.16, indicating a broad exposure for users who have not updated. The Tenda AC21 is a widely used consumer and small office/home office (SOHO) router model, making this vulnerability relevant for many network environments relying on this device for internet connectivity and routing functions.

For European organizations, the impact of CVE-2025-11091 can be significant. The Tenda AC21 is commonly deployed in small businesses, home offices, and some branch office environments across Europe due to its cost-effectiveness and feature set. Exploitation could lead to full compromise of the router, allowing attackers to intercept, modify, or redirect network traffic, potentially leading to data breaches or man-in-the-middle attacks. Additionally, attackers could leverage the compromised routers as footholds for lateral movement into corporate networks or as part of botnets for further attacks. The disruption of network availability through denial of service could impact business continuity, especially for organizations relying on these routers for critical connectivity. Given the remote exploitability without authentication, attackers can target vulnerable devices over the internet, increasing the risk to organizations with exposed management interfaces. The public availability of exploit code further elevates the threat level, making timely mitigation essential to prevent compromise.

1. Immediate firmware upgrade: Organizations should verify the firmware version of their Tenda AC21 devices and upgrade to a patched version beyond 16.03.08.16 as soon as the vendor releases a fix. If no patch is available yet, consider temporary mitigations. 2. Network segmentation: Isolate vulnerable routers from critical internal networks to limit potential lateral movement in case of compromise. 3. Disable remote management: If remote management interfaces are enabled on the Tenda AC21, disable them or restrict access via firewall rules to trusted IP addresses only. 4. Monitor network traffic: Implement network monitoring to detect unusual traffic patterns or attempts to exploit the /goform/SetStaticRouteCfg endpoint. 5. Replace devices: For high-risk environments, consider replacing vulnerable Tenda AC21 routers with devices from vendors with timely security support. 6. Incident response readiness: Prepare to respond to potential incidents involving router compromise, including forensic analysis and network isolation procedures. 7. Vendor communication: Engage with Tenda support channels to obtain information on patch availability and coordinate updates.