CVE-2025-13445 is a stack-based buffer overflow vulnerability identified in the Tenda AC21 router firmware version 16.03.08.16. The vulnerability resides in the /goform/SetIpMacBind endpoint, which handles IP and MAC binding configurations. By manipulating the argument list sent to this endpoint, an attacker can overflow a stack buffer, leading to memory corruption. This corruption can be leveraged to execute arbitrary code on the device with elevated privileges, potentially allowing full control over the router. The vulnerability is remotely exploitable without requiring authentication or user interaction, making it highly dangerous. The CVSS 4.0 base score is 8.7 (high), reflecting the ease of exploitation (network vector, low complexity), no privileges required, and the high impact on confidentiality, integrity, and availability. Although no confirmed exploits in the wild have been reported, proof-of-concept exploit code has been published, increasing the likelihood of active exploitation. The vulnerability affects a widely deployed consumer and small business router model, which often serves as a gateway device, making exploitation a critical threat to network security. The lack of available patches at the time of publication necessitates immediate mitigation through network-level controls and monitoring.

For European organizations, exploitation of this vulnerability could lead to complete compromise of affected Tenda AC21 routers, enabling attackers to intercept, modify, or redirect network traffic, disrupt internet connectivity, or use the device as a foothold for further attacks within the internal network. This could result in data breaches, loss of service, and exposure of sensitive information. Small and medium enterprises, as well as home office environments relying on these routers, are particularly vulnerable due to limited IT security resources. Critical infrastructure sectors using these devices for network connectivity could face operational disruptions. The remote and unauthenticated nature of the exploit increases the risk of widespread attacks, especially in countries with higher market penetration of Tenda products. The published exploit code may accelerate attack campaigns targeting vulnerable devices across Europe.

1. Immediately restrict remote access to the router’s management interface, especially from untrusted networks, using firewall rules or network segmentation. 2. Disable or limit the IP-MAC binding feature if not required, reducing the attack surface. 3. Monitor network traffic for unusual activity targeting the /goform/SetIpMacBind endpoint or signs of exploitation attempts. 4. Deploy intrusion detection/prevention systems (IDS/IPS) with signatures for this vulnerability once available. 5. Regularly check for and apply firmware updates from Tenda as soon as patches addressing CVE-2025-13445 are released. 6. For organizations with large deployments, consider replacing vulnerable devices with models from vendors with robust security update policies. 7. Educate IT staff about this vulnerability and ensure incident response plans include steps for router compromise scenarios.