CVE-2025-11122 is a stack-based buffer overflow vulnerability identified in the Tenda AC18 router firmware version 15.03.05.19. The flaw exists in an unspecified function within the /goform/WizardHandle endpoint, specifically triggered by manipulation of the WANT/mtuvalue argument. This improper input validation allows an attacker to overflow the stack buffer remotely, potentially leading to arbitrary code execution on the device. The vulnerability requires no authentication or user interaction, making it exploitable over the network by any remote attacker. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P) indicates network attack vector, low attack complexity, no authentication, and high impact on confidentiality, integrity, and availability. Although no exploits have been observed in the wild yet, public exploit code availability increases the risk of imminent attacks. The vulnerability affects only the specified firmware version, and no official patches or updates have been linked yet, highlighting the urgency for vendor response. The Tenda AC18 is commonly used in small office and home office environments, making it a critical point of entry for attackers targeting internal networks. Exploitation could allow attackers to gain control over the router, intercept or manipulate traffic, and pivot to other network assets.

For European organizations, this vulnerability poses a significant risk, especially for small and medium enterprises (SMEs) and remote workers relying on Tenda AC18 routers. Successful exploitation can lead to full compromise of the router, enabling attackers to intercept sensitive communications, deploy malware, or create persistent backdoors. This threatens confidentiality of corporate data, integrity of network traffic, and availability of internet connectivity. Given the router’s role as a network gateway, attackers could pivot to internal systems, escalating the impact. The lack of authentication and user interaction requirements lowers the barrier for exploitation, increasing the likelihood of attacks. European sectors with high reliance on remote work infrastructure, such as finance, healthcare, and government agencies, could face operational disruptions and data breaches. Additionally, the public availability of exploit code may accelerate attack campaigns targeting vulnerable devices across Europe.

1. Immediate action should focus on monitoring Tenda’s official channels for firmware updates addressing CVE-2025-11122 and applying patches promptly once released. 2. Until patches are available, network administrators should restrict access to the router’s management interface, especially blocking inbound traffic to /goform/WizardHandle from untrusted networks. 3. Implement network segmentation to isolate vulnerable routers from critical internal systems, limiting lateral movement opportunities. 4. Deploy intrusion detection/prevention systems (IDS/IPS) with signatures targeting exploit attempts against this vulnerability. 5. Conduct regular network traffic analysis to detect anomalous requests targeting the WANT/mtuvalue parameter or unusual router behavior. 6. Educate users and IT staff about the risks of using outdated firmware and the importance of timely updates. 7. Consider replacing vulnerable Tenda AC18 devices with alternative hardware if patching is delayed or unsupported. 8. Employ strong network access controls and multi-factor authentication on management interfaces where possible to reduce risk from other attack vectors.