CVE-2025-13446 is a stack-based buffer overflow vulnerability identified in the Tenda AC21 router firmware version 16.03.08.16. The flaw resides in the handling of the timeZone/time parameter within the /goform/SetSysTimeCfg endpoint. When this parameter is manipulated with specially crafted input, it causes a buffer overflow on the stack, which can overwrite the return address or other control data, enabling remote code execution. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, making it highly dangerous. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P) reflects that the attack can be launched remotely with low complexity, no user interaction, and no privileges, resulting in high confidentiality, integrity, and availability impact. Although no confirmed exploits in the wild have been reported, the public disclosure of exploit code increases the risk of imminent attacks. The vulnerability affects a widely deployed consumer and small business router model, which is often used as a network gateway, thus compromising it could allow attackers to intercept, manipulate, or disrupt network traffic, deploy malware, or pivot to internal networks. The lack of available patches at the time of disclosure necessitates immediate mitigations to reduce exposure.

For European organizations, this vulnerability poses a significant risk due to the widespread use of Tenda AC21 routers in home offices, small businesses, and possibly some enterprise edge environments. Successful exploitation could lead to full device compromise, allowing attackers to intercept sensitive communications, manipulate network traffic, or establish persistent footholds within internal networks. This threatens confidentiality by exposing private data, integrity by enabling unauthorized changes to network configurations or data, and availability by potentially causing device crashes or network outages. The remote, unauthenticated nature of the exploit increases the likelihood of attacks, especially in environments where these devices are directly exposed to the internet or poorly segmented. The impact is particularly critical for sectors handling sensitive data such as finance, healthcare, and government services. Additionally, compromised routers could be leveraged in botnets or for launching further attacks, amplifying the threat landscape across Europe.

Immediate mitigation steps include restricting external network access to the router’s management interface, especially blocking access to the /goform/SetSysTimeCfg endpoint via firewall rules or network segmentation. Network administrators should monitor router logs and network traffic for unusual activity indicative of exploitation attempts. Until an official patch is released by Tenda, consider replacing vulnerable devices with models from vendors with timely security updates. Employ network intrusion detection/prevention systems (IDS/IPS) configured to detect buffer overflow attempts or anomalous HTTP requests targeting router management endpoints. Enforce strong network segmentation to isolate vulnerable devices from critical infrastructure. Regularly check Tenda’s official channels for firmware updates and apply patches promptly once available. Educate users about the risks of exposing router management interfaces to the internet and encourage disabling remote management if not strictly necessary.