CVE-2025-11356 is a buffer overflow vulnerability identified in the Tenda AC23 router firmware versions up to 16.03.07.52. The vulnerability resides in the sscanf function used by the /goform/SetStaticRouteCfg endpoint, which processes static route configuration parameters. Improper handling of input arguments allows an attacker to overflow a buffer remotely without requiring authentication or user interaction. This overflow can corrupt memory, potentially enabling arbitrary code execution, denial of service, or complete device compromise. The vulnerability is remotely exploitable over the network, making it particularly dangerous for exposed devices. The CVSS 4.0 base score is 8.7, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no privileges or user interaction needed. While no confirmed exploits are currently active in the wild, public proof-of-concept exploits have been released, increasing the risk of imminent attacks. The affected product, Tenda AC23, is a widely used consumer and small business Wi-Fi 6 router, often deployed in home offices and small enterprises. The vulnerability’s exploitation could allow attackers to gain persistent control over network traffic, intercept sensitive data, or disrupt network availability. The lack of an official patch at the time of disclosure necessitates immediate mitigation efforts by network administrators.

For European organizations, this vulnerability poses a significant threat due to the widespread use of Tenda AC23 routers in both residential and small business environments. Successful exploitation could lead to unauthorized access to internal networks, interception of confidential communications, and disruption of network services. Critical sectors such as finance, healthcare, and government agencies that rely on secure and stable network infrastructure may face data breaches or operational outages. The ability to remotely exploit the vulnerability without authentication increases the risk of automated attacks and worm-like propagation within vulnerable networks. Additionally, compromised routers could be leveraged as pivot points for lateral movement or as part of botnets targeting European infrastructure. The impact extends beyond individual organizations to national cybersecurity, especially where Tenda devices are integrated into essential services or critical infrastructure.

1. Monitor Tenda’s official channels for firmware updates addressing CVE-2025-11356 and apply patches immediately upon release. 2. Until patches are available, disable remote management interfaces (especially WAN-side access) on all Tenda AC23 routers to reduce exposure. 3. Implement network segmentation to isolate vulnerable routers from critical systems and sensitive data. 4. Employ intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics capable of detecting exploitation attempts targeting /goform/SetStaticRouteCfg. 5. Conduct network scans to identify all Tenda AC23 devices and verify firmware versions to prioritize remediation. 6. Enforce strict access controls and monitor router logs for anomalous configuration changes or suspicious traffic patterns. 7. Educate users and administrators about the risks of using outdated router firmware and the importance of timely updates. 8. Consider temporary replacement of vulnerable devices in high-risk environments with alternative hardware until patched.