CVE-2025-14654 is a stack-based buffer overflow vulnerability identified in the Tenda AC20 router firmware version 16.03.08.12. The vulnerability resides in the formSetPPTPUserList function, which processes requests to the /goform/setPptpUserList endpoint handled by the embedded HTTP server (httpd). Specifically, improper handling and validation of input arguments in this function allow an attacker to overflow the stack buffer by sending a specially crafted request. This overflow can corrupt the stack, potentially enabling remote code execution or denial of service. The vulnerability is remotely exploitable without requiring authentication or user interaction, making it highly dangerous. The CVSS v4.0 score of 8.7 reflects the ease of exploitation (network attack vector, low complexity) and the high impact on confidentiality, integrity, and availability. Although no active exploitation has been observed in the wild, a public exploit is available, increasing the likelihood of attacks. The vulnerability affects only the specified firmware version 16.03.08.12 of the Tenda AC20 router, a device commonly used in small to medium business and home networks. The lack of an official patch or update link in the provided data suggests that mitigation may currently rely on network-level protections or firmware updates from the vendor once available.

For European organizations, exploitation of CVE-2025-14654 could lead to severe consequences including unauthorized remote code execution on affected routers, enabling attackers to intercept, modify, or disrupt network traffic. This compromises confidentiality by exposing sensitive data, integrity by allowing manipulation of communications, and availability by potentially causing router crashes or network outages. Organizations relying on Tenda AC20 devices for VPN or PPTP user management are particularly vulnerable, as the exploited function relates to PPTP user list configuration. Critical infrastructure, SMEs, and enterprises using these routers as part of their network perimeter could face data breaches, lateral movement by attackers, and operational disruptions. The public availability of an exploit increases the risk of opportunistic attacks, including ransomware or espionage campaigns targeting European entities. Additionally, compromised routers could be leveraged as entry points into internal networks or as part of botnets, amplifying the threat landscape.

Organizations should immediately inventory their network devices to identify any Tenda AC20 routers running firmware version 16.03.08.12. Until an official patch is released by Tenda, network administrators should implement strict access controls to restrict external access to the router’s management interfaces, especially the /goform/setPptpUserList endpoint. Deploy network-level protections such as firewalls or intrusion prevention systems (IPS) to detect and block exploit attempts targeting this vulnerability. Disable PPTP VPN services if not in use, as the vulnerability is related to PPTP user list management. Monitor network traffic for anomalous requests to the affected endpoint and unusual router behavior. Segregate vulnerable devices on isolated network segments to limit potential lateral movement. Regularly check for firmware updates from Tenda and apply patches promptly once available. Consider replacing affected devices with models from vendors with faster security response times if patching is delayed.