CVE-2025-13446 is a stack-based buffer overflow vulnerability identified in the Tenda AC21 router firmware version 16.03.08.16. The vulnerability resides in the handling of the /goform/SetSysTimeCfg endpoint, specifically in the processing of the timeZone/time parameter. Improper validation or bounds checking of this input allows an attacker to overwrite the stack memory, potentially leading to arbitrary code execution or device crashes. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The CVSS 4.0 base score is 8.7, reflecting its high severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:L), and no user interaction (UI:N). The impact on confidentiality, integrity, and availability is high, as successful exploitation can lead to full device compromise. Although no confirmed exploits are currently observed in the wild, public disclosure of exploit code increases the likelihood of imminent attacks. The lack of available patches or official mitigation guidance at the time of publication necessitates immediate defensive measures by affected users. This vulnerability threatens the security of networks relying on Tenda AC21 routers, potentially allowing attackers to disrupt network operations or pivot into internal systems.

For European organizations, this vulnerability can have severe consequences. The Tenda AC21 router is commonly used in small to medium enterprise and residential environments, meaning a broad attack surface exists. Successful exploitation could allow attackers to gain control over the router, intercept or manipulate network traffic, disrupt internet connectivity, or use the compromised device as a foothold for lateral movement within corporate networks. This can lead to data breaches, service outages, and loss of trust. Critical infrastructure or organizations with remote workforces relying on these routers are particularly at risk. The remote and unauthenticated nature of the exploit means attackers can target devices over the internet, increasing the threat to organizations without robust perimeter defenses. Additionally, the public availability of exploit code raises the risk of automated scanning and mass exploitation campaigns targeting vulnerable devices across Europe.

Given the absence of official patches at the time of disclosure, European organizations should implement immediate compensating controls. These include isolating Tenda AC21 routers from direct internet exposure by placing them behind firewalls or VPNs, restricting access to the /goform/SetSysTimeCfg endpoint via network segmentation or access control lists, and monitoring network traffic for anomalous requests targeting this endpoint. Organizations should also conduct an inventory to identify all affected devices and prioritize their replacement or firmware upgrade once patches become available. Employing intrusion detection systems (IDS) or intrusion prevention systems (IPS) with signatures for this vulnerability can help detect exploitation attempts. Regularly updating router firmware and subscribing to vendor security advisories will ensure timely patch application. Finally, educating IT staff about this vulnerability and encouraging rapid incident response readiness will reduce potential damage.