CVE-2025-11328 is a stack-based buffer overflow vulnerability identified in the Tenda AC18 router firmware version 15.03.05.19(6318). The vulnerability exists in the processing of the /goform/SetDDNSCfg endpoint, specifically in the handling of the ddnsEn parameter. An attacker can remotely send crafted requests to this endpoint, manipulating the ddnsEn argument to overflow the stack buffer. This overflow can overwrite critical memory regions, potentially allowing arbitrary code execution with elevated privileges on the device. The vulnerability requires no user interaction and no prior authentication, making it highly exploitable over the network. The CVSS v4.0 base score is 8.7, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no privileges required. Although no exploits have been observed in the wild yet, a public exploit has been released, increasing the likelihood of exploitation. The vulnerability affects only the specified firmware version, and no official patches have been linked yet. The Tenda AC18 is a widely used consumer and small business router, often deployed in home offices and small enterprises, which may lack robust security monitoring. Attackers exploiting this vulnerability could gain full control over the router, intercept or manipulate traffic, disrupt network services, or pivot to internal networks.

For European organizations, the impact of CVE-2025-11328 can be significant. Compromise of Tenda AC18 routers could lead to unauthorized access to internal networks, interception of sensitive communications, and disruption of network availability. Small and medium enterprises (SMEs) and home offices that rely on these routers without additional security layers are particularly vulnerable. Attackers could leverage this vulnerability to establish persistent footholds, launch further attacks against corporate assets, or exfiltrate confidential data. Critical infrastructure sectors using these devices for network connectivity could face operational disruptions. The lack of authentication and user interaction requirements increases the risk of automated exploitation campaigns. Given the public availability of exploits, rapid exploitation attempts are likely, potentially leading to widespread compromise if unmitigated. This vulnerability also poses risks to privacy and regulatory compliance under GDPR if personal data is intercepted or compromised through the affected devices.

1. Immediate mitigation involves disabling the DDNS feature on Tenda AC18 routers if it is not essential, reducing the attack surface. 2. Network administrators should segment and isolate vulnerable routers from critical internal networks to limit potential lateral movement. 3. Monitor network traffic for unusual requests to the /goform/SetDDNSCfg endpoint and implement intrusion detection/prevention rules to block exploit attempts. 4. Apply firmware updates from Tenda as soon as official patches become available; if no patch is released promptly, consider replacing affected devices with more secure alternatives. 5. Employ network access controls and firewall rules to restrict external access to router management interfaces. 6. Conduct regular vulnerability assessments and penetration tests focusing on network edge devices. 7. Educate users and administrators about the risks of enabling unnecessary services like DDNS and encourage secure configuration practices. 8. Maintain up-to-date asset inventories to quickly identify and remediate vulnerable devices across the organization.