CVE-2025-11328 is a stack-based buffer overflow vulnerability identified in the Tenda AC18 router firmware version 15.03.05.19(6318). The vulnerability exists in the processing of the ddnsEn parameter within the /goform/SetDDNSCfg HTTP endpoint. Specifically, improper validation or bounds checking of this argument allows an attacker to overflow a stack buffer remotely. This flaw can be exploited without any authentication or user interaction, making it highly accessible to remote attackers. The overflow could enable attackers to execute arbitrary code on the device, potentially gaining full control over the router, or cause a denial of service by crashing the device. The vulnerability is classified with a CVSS 4.0 score of 8.7, indicating high severity due to its remote exploitability, lack of required privileges, and significant impact on confidentiality, integrity, and availability. Although no active exploitation has been reported in the wild, a public exploit is available, increasing the likelihood of attacks. The vulnerability affects a widely deployed consumer and small business router model, which is often used as a gateway device, making it a critical attack vector for network compromise.

The impact of CVE-2025-11328 is significant for organizations using Tenda AC18 routers. Successful exploitation can lead to remote code execution, allowing attackers to take full control of the device. This compromises the confidentiality of network traffic, integrity of routing and firewall rules, and availability of network connectivity. Attackers could use compromised routers as footholds for lateral movement within networks, launch man-in-the-middle attacks, or disrupt business operations by causing denial of service. Given that routers are critical infrastructure components, this vulnerability poses a risk to both enterprise and home networks, potentially affecting sensitive data and operational continuity. The availability of a public exploit increases the risk of widespread attacks, especially targeting unpatched devices. Organizations relying on these routers for critical connectivity or remote access should consider the vulnerability a high priority for remediation.

To mitigate CVE-2025-11328, organizations should first check for and apply any official firmware updates from Tenda that address this vulnerability. If patches are not yet available, network administrators should restrict access to the router’s management interfaces, especially the /goform/SetDDNSCfg endpoint, by implementing firewall rules that limit access to trusted IP addresses only. Disabling remote management features or the DDNS service if not required can reduce the attack surface. Network segmentation should be employed to isolate vulnerable devices from critical infrastructure. Monitoring network traffic for unusual requests targeting the vulnerable endpoint can help detect exploitation attempts. Additionally, organizations should consider replacing affected devices with models from vendors with more robust security track records if patching is not feasible. Regularly auditing router configurations and applying security best practices will further reduce risk.