CVE-2025-11386 is a stack-based buffer overflow vulnerability identified in the Tenda AC15 router firmware version 15.03.05.18. The vulnerability resides in an unspecified function handling POST requests to the /goform/SetDDNSCfg endpoint, specifically when processing the ddnsEn parameter. By sending a specially crafted POST request with manipulated ddnsEn data, an attacker can overflow the stack buffer, potentially overwriting return addresses or other control data. This can lead to arbitrary code execution or cause the device to crash, resulting in denial of service. The vulnerability is remotely exploitable without requiring authentication or user interaction, making it highly dangerous. The CVSS v4.0 score is 8.7, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no privileges required. While no active exploitation has been reported, a public exploit is available, increasing the likelihood of attacks. The vulnerability affects a widely deployed consumer and small business router model, which may be used in various European networks. The lack of an official patch at the time of disclosure necessitates immediate defensive measures to mitigate risk.

For European organizations, the exploitation of CVE-2025-11386 could lead to severe consequences including unauthorized access to internal networks, interception or manipulation of sensitive data, and disruption of network services. Compromise of routers can serve as a foothold for lateral movement, data exfiltration, or launching further attacks such as ransomware or espionage campaigns. Small and medium enterprises, as well as home office environments relying on Tenda AC15 routers, are particularly vulnerable due to potentially weaker security monitoring. Critical infrastructure or government networks using these devices could face operational disruptions or data breaches. The public availability of an exploit increases the risk of opportunistic attacks, including automated scanning and exploitation by threat actors. The vulnerability’s remote and unauthenticated nature means attackers can target devices exposed to the internet or accessible from less secure internal networks.

1. Immediately identify and inventory all Tenda AC15 routers running firmware version 15.03.05.18 within the network. 2. Monitor vendor communications closely for official firmware updates addressing this vulnerability and apply patches promptly upon release. 3. Until patches are available, restrict access to the /goform/SetDDNSCfg endpoint by implementing network-level controls such as firewall rules or access control lists to block unauthorized external and internal access. 4. Disable remote management features on affected routers if not required, especially WAN-side access. 5. Employ network segmentation to isolate vulnerable devices from critical assets and sensitive data. 6. Use intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics to detect exploitation attempts targeting this vulnerability. 7. Educate users and administrators about the risk and signs of compromise related to router vulnerabilities. 8. Consider replacing affected devices with models from vendors with stronger security track records if patching is delayed or unsupported.