CVE-2025-14655 is a stack-based buffer overflow vulnerability identified in the Tenda AC20 router firmware version 16.03.08.12. The vulnerability resides in the formSetRebootTimer function, specifically in the /goform/SetSysAutoRebbotCfg HTTP endpoint handled by the router's embedded HTTP daemon (httpd). The flaw is triggered by sending a specially crafted rebootTime parameter that exceeds the buffer size allocated on the stack, causing a buffer overflow. This overflow can overwrite the stack memory, potentially allowing an attacker to execute arbitrary code with the privileges of the httpd process. The vulnerability is remotely exploitable without requiring authentication or user interaction, making it highly accessible to attackers scanning for vulnerable devices. The CVSS v4.0 score of 8.7 reflects the high impact on confidentiality, integrity, and availability, as successful exploitation could lead to full compromise of the device, network disruption, or use as a pivot point for further attacks. Although no confirmed exploits in the wild have been reported, the public release of an exploit increases the likelihood of active exploitation. The lack of an official patch or firmware update at the time of disclosure further exacerbates the risk. The vulnerability affects a widely deployed consumer and small business router model, which is often used in home and office environments, potentially exposing a large attack surface.

For European organizations, exploitation of CVE-2025-14655 could lead to severe consequences including unauthorized remote code execution on network routers, resulting in loss of network availability, interception or manipulation of network traffic, and potential lateral movement within corporate networks. This could compromise sensitive data confidentiality and integrity, disrupt business operations, and facilitate further attacks such as ransomware or espionage. Small and medium enterprises relying on Tenda AC20 devices for internet connectivity or network segmentation are particularly vulnerable. The public availability of an exploit increases the risk of widespread attacks, including automated scanning and exploitation campaigns. Critical infrastructure sectors that depend on reliable network equipment may face operational disruptions. Additionally, the vulnerability could be leveraged to create botnets or launch distributed denial-of-service (DDoS) attacks, impacting broader internet stability in Europe.

Immediate mitigation should focus on isolating vulnerable Tenda AC20 devices from untrusted networks by restricting access to the /goform/SetSysAutoRebbotCfg endpoint via firewall rules or network segmentation. Network administrators should implement strict access controls to management interfaces, preferably limiting them to trusted internal networks or VPNs. Monitoring network traffic for unusual POST requests targeting the rebootTime parameter can help detect exploitation attempts. Since no official patch is currently available, organizations should consider replacing affected devices with updated models or alternative vendors with timely security support. Employing intrusion detection/prevention systems (IDS/IPS) with signatures for this vulnerability can provide additional protection. Regularly auditing network devices for firmware versions and applying updates as soon as they become available is critical. Finally, educating staff about the risks of exposed network devices and enforcing strong network perimeter defenses will reduce exposure.