CVE-2025-11091 is a remote buffer overflow vulnerability affecting the Tenda AC21 router firmware versions up to 16.03.08.16. The flaw exists in the sscanf function used in the /goform/SetStaticRouteCfg endpoint, which improperly processes input arguments, leading to a buffer overflow condition. This vulnerability can be exploited remotely without any authentication or user interaction, making it highly accessible to attackers. The buffer overflow can allow attackers to execute arbitrary code on the device, potentially gaining full control over the router. This could enable attackers to manipulate network traffic, intercept sensitive data, or pivot into internal networks. The vulnerability has a CVSS 4.0 score of 8.7, reflecting its high impact on confidentiality, integrity, and availability, combined with ease of exploitation. While no active exploitation has been reported, a public exploit is available, increasing the likelihood of attacks. The vulnerability affects a wide range of firmware versions, indicating that many deployed devices remain vulnerable. No official patches or firmware updates have been linked yet, emphasizing the need for immediate defensive measures. Given the critical role of routers in network infrastructure, exploitation could have severe consequences for organizational security.

For European organizations, exploitation of CVE-2025-11091 could lead to full compromise of Tenda AC21 routers, which serve as critical network gateways. Attackers could intercept or redirect sensitive communications, disrupt network availability, or use compromised routers as footholds for further attacks within corporate or governmental networks. This poses significant risks to confidentiality, integrity, and availability of data and services. Organizations with remote management interfaces exposed to the internet are particularly vulnerable, as the attack requires no authentication or user interaction. The public availability of an exploit increases the risk of widespread attacks, potentially targeting sectors such as finance, healthcare, government, and critical infrastructure. Additionally, compromised routers could be incorporated into botnets or used for launching distributed denial-of-service (DDoS) attacks, amplifying the threat landscape. The lack of current patches means that mitigation relies heavily on network-level controls and monitoring, increasing operational complexity and risk.

1. Immediately audit network environments to identify all Tenda AC21 devices running affected firmware versions. 2. Restrict access to router management interfaces by implementing network segmentation and firewall rules limiting access to trusted IP addresses only. 3. Disable remote management features if not strictly necessary to reduce exposure. 4. Monitor network traffic for unusual patterns or signs of exploitation attempts targeting /goform/SetStaticRouteCfg endpoints. 5. Employ intrusion detection/prevention systems (IDS/IPS) with updated signatures to detect attempts exploiting this vulnerability. 6. Engage with Tenda support channels to obtain official firmware updates or patches as soon as they become available and prioritize their deployment. 7. Consider temporary replacement or isolation of vulnerable devices in high-risk environments until patches are applied. 8. Educate IT staff about the vulnerability and the importance of rapid response to suspicious activity related to router management interfaces.