CVE-2025-12611 is a buffer overflow vulnerability identified in the Tenda AC21 router firmware version 16.03.08.16. The flaw exists in the formSetPPTPServer function within the /goform/SetPptpServerCfg endpoint, where improper handling of the startIp parameter allows an attacker to overflow a buffer. This vulnerability can be exploited remotely without authentication or user interaction, enabling attackers to execute arbitrary code on the device. The vulnerability has been assigned a CVSS 4.0 score of 8.7, reflecting its high severity due to network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. While no active exploitation in the wild has been reported, a public exploit is available, increasing the risk of imminent attacks. The vulnerability targets the PPTP server configuration interface, which is often exposed on routers used in home and small business environments. Successful exploitation could lead to full device compromise, allowing attackers to intercept or manipulate network traffic, pivot into internal networks, or disrupt network availability. The lack of a patch at the time of disclosure necessitates immediate mitigation through network controls and disabling vulnerable services where possible.

For European organizations, this vulnerability poses a significant risk, particularly for small and medium-sized enterprises and home office setups that commonly use Tenda AC21 routers. Exploitation could lead to unauthorized remote code execution, resulting in loss of confidentiality through interception of sensitive data, integrity breaches by altering network traffic or configurations, and availability disruptions via device crashes or denial of service. Compromised routers can serve as footholds for lateral movement within corporate networks or as launch points for broader attacks. Critical infrastructure sectors relying on these devices for connectivity could face operational disruptions. The public availability of an exploit increases the likelihood of targeted attacks or opportunistic scanning by cybercriminals. Given the remote, unauthenticated nature of the exploit, organizations face a heightened threat without requiring user interaction, making detection and prevention more challenging.

1. Immediately monitor vendor communications for firmware updates addressing CVE-2025-12611 and apply patches as soon as they become available. 2. In the interim, restrict access to the router's management interfaces, especially the /goform/SetPptpServerCfg endpoint, by implementing firewall rules or network segmentation to limit exposure to untrusted networks. 3. Disable the PPTP server functionality on Tenda AC21 devices if it is not required, reducing the attack surface. 4. Employ intrusion detection/prevention systems (IDS/IPS) with signatures or anomaly detection capable of identifying exploit attempts targeting this vulnerability. 5. Conduct network scans to identify Tenda AC21 devices running the vulnerable firmware version and prioritize their remediation. 6. Educate IT staff and users about the risks associated with outdated router firmware and the importance of timely updates. 7. Consider replacing vulnerable devices with models from vendors with stronger security track records if patching is delayed or unsupported.