CVE-2025-45428 is a critical stack overflow vulnerability identified in the Tenda AC9 router, specifically in firmware version V15.03.05.14_multi. The vulnerability resides in the handling of the rebootTime parameter within the /goform/SetSysAutoRebbotCfg endpoint. This parameter is susceptible to a stack-based buffer overflow (CWE-121), which can be exploited remotely without authentication or user interaction. An attacker can send a specially crafted request to this endpoint, causing the overflow and enabling arbitrary code execution on the device. Given the nature of the vulnerability, successful exploitation can lead to full compromise of the router, allowing attackers to execute malicious code with the privileges of the device's firmware. The CVSS v3.1 base score of 9.8 reflects the high impact on confidentiality, integrity, and availability, with an attack vector that is network-based and requires no privileges or user interaction. Although no known exploits are currently reported in the wild, the ease of exploitation and critical severity make this a significant threat. The vulnerability affects a widely used consumer-grade router model, which is often deployed in home and small office environments, potentially serving as a gateway to internal networks.

For European organizations, the exploitation of this vulnerability could have severe consequences. Compromised Tenda AC9 routers could serve as entry points for attackers to infiltrate internal networks, intercept sensitive communications, or launch further attacks such as lateral movement or data exfiltration. The integrity and availability of network infrastructure could be disrupted, leading to operational downtime and loss of trust. Small and medium enterprises (SMEs) and home offices relying on these routers are particularly at risk, as these devices often lack advanced security monitoring. Additionally, critical sectors such as finance, healthcare, and government agencies using these routers in branch offices or remote locations could face heightened risks. The vulnerability's remote exploitation capability without authentication increases the attack surface, potentially enabling widespread automated attacks if weaponized. The lack of patches at the time of disclosure further exacerbates the risk for European entities.

1. Immediate network segmentation: Isolate Tenda AC9 routers from critical internal networks to limit potential lateral movement if compromised. 2. Disable remote management interfaces on affected devices to reduce exposure to external attacks. 3. Monitor network traffic for unusual activity targeting the /goform/SetSysAutoRebbotCfg endpoint or anomalous reboot commands. 4. Implement strict firewall rules to restrict inbound traffic to router management interfaces, ideally allowing only trusted IP addresses. 5. Engage with Tenda support or authorized vendors to obtain firmware updates or patches as soon as they become available; prioritize deployment in all affected environments. 6. Where patching is not immediately possible, consider replacing vulnerable devices with alternative models from vendors with robust security track records. 7. Educate users and administrators about the risks of this vulnerability and encourage vigilance for signs of compromise. 8. Employ intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics tailored to detect exploitation attempts targeting this vulnerability. 9. Conduct regular security audits of network devices to identify and remediate vulnerable firmware versions.