CVE-2025-14654: Stack-based Buffer Overflow in Tenda AC20
A vulnerability was identified in Tenda AC20 16.03.08.12. The affected element is the function formSetPPTPUserList of the file /goform/setPptpUserList of the component httpd. Such manipulation of the argument list leads to stack-based buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used.
AI Analysis
Technical Summary
CVE-2025-14654 is a stack-based buffer overflow vulnerability identified in the Tenda AC20 router firmware version 16.03.08.12. The vulnerability resides in the formSetPPTPUserList function, which is part of the HTTP daemon handling the /goform/setPptpUserList endpoint. This function improperly handles input arguments, allowing an attacker to overflow a stack buffer by sending crafted HTTP requests. The overflow can corrupt the stack, enabling remote code execution or denial of service. The attack vector is network-based and does not require authentication or user interaction, making it highly exploitable. The vulnerability has a CVSS 4.0 base score of 8.7, reflecting high impact on confidentiality, integrity, and availability. Although no active exploitation has been reported, a public exploit exists, increasing the urgency for mitigation. The flaw affects only the specified firmware version, and no official patches have been linked yet, indicating a need for vendor response or alternative mitigations.
Potential Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on affected Tenda AC20 routers, potentially gaining full control over the device. This compromises the confidentiality of network traffic and credentials passing through the router, undermines the integrity of network configurations, and can disrupt availability by causing device crashes or persistent denial of service. Compromised routers can be leveraged as entry points into internal networks, facilitating lateral movement, data exfiltration, or launching further attacks such as man-in-the-middle or botnet recruitment. The lack of authentication requirements and remote exploitability significantly broadens the attack surface, posing a substantial risk to organizations and home users relying on this hardware for network connectivity and security.
Mitigation Recommendations
1. Immediately check for firmware updates from Tenda addressing CVE-2025-14654 and apply them as soon as they become available. 2. If no patch is available, restrict access to the router's management interface by limiting exposure to trusted networks only, ideally disabling remote management over WAN. 3. Implement network-level protections such as firewall rules to block unsolicited inbound traffic targeting the /goform/setPptpUserList endpoint or HTTP management ports. 4. Monitor network traffic for unusual or malformed HTTP requests indicative of exploitation attempts. 5. Consider segmenting critical network assets away from vulnerable routers to reduce potential impact. 6. Replace affected devices with models confirmed to be free from this vulnerability if patching is not feasible. 7. Educate network administrators on the risks and signs of exploitation to enable rapid detection and response.
Affected Countries
China, United States, India, Brazil, Russia, Germany, United Kingdom, France, South Africa, Australia
CVE-2025-14654: Stack-based Buffer Overflow in Tenda AC20
Description
A vulnerability was identified in Tenda AC20 16.03.08.12. The affected element is the function formSetPPTPUserList of the file /goform/setPptpUserList of the component httpd. Such manipulation of the argument list leads to stack-based buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-14654 is a stack-based buffer overflow vulnerability identified in the Tenda AC20 router firmware version 16.03.08.12. The vulnerability resides in the formSetPPTPUserList function, which is part of the HTTP daemon handling the /goform/setPptpUserList endpoint. This function improperly handles input arguments, allowing an attacker to overflow a stack buffer by sending crafted HTTP requests. The overflow can corrupt the stack, enabling remote code execution or denial of service. The attack vector is network-based and does not require authentication or user interaction, making it highly exploitable. The vulnerability has a CVSS 4.0 base score of 8.7, reflecting high impact on confidentiality, integrity, and availability. Although no active exploitation has been reported, a public exploit exists, increasing the urgency for mitigation. The flaw affects only the specified firmware version, and no official patches have been linked yet, indicating a need for vendor response or alternative mitigations.
Potential Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on affected Tenda AC20 routers, potentially gaining full control over the device. This compromises the confidentiality of network traffic and credentials passing through the router, undermines the integrity of network configurations, and can disrupt availability by causing device crashes or persistent denial of service. Compromised routers can be leveraged as entry points into internal networks, facilitating lateral movement, data exfiltration, or launching further attacks such as man-in-the-middle or botnet recruitment. The lack of authentication requirements and remote exploitability significantly broadens the attack surface, posing a substantial risk to organizations and home users relying on this hardware for network connectivity and security.
Mitigation Recommendations
1. Immediately check for firmware updates from Tenda addressing CVE-2025-14654 and apply them as soon as they become available. 2. If no patch is available, restrict access to the router's management interface by limiting exposure to trusted networks only, ideally disabling remote management over WAN. 3. Implement network-level protections such as firewall rules to block unsolicited inbound traffic targeting the /goform/setPptpUserList endpoint or HTTP management ports. 4. Monitor network traffic for unusual or malformed HTTP requests indicative of exploitation attempts. 5. Consider segmenting critical network assets away from vulnerable routers to reduce potential impact. 6. Replace affected devices with models confirmed to be free from this vulnerability if patching is not feasible. 7. Educate network administrators on the risks and signs of exploitation to enable rapid detection and response.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2025-12-13T09:48:02.488Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 693e9015f795bf52904ccd6e
Added to database: 12/14/2025, 10:23:17 AM
Last enriched: 2/24/2026, 10:59:33 PM
Last updated: 3/23/2026, 11:43:49 PM
Views: 171
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.