CVE-2025-5847 is a critical stack-based buffer overflow vulnerability identified in the Tenda AC9 router, specifically version 15.03.02.13. The flaw exists in the HTTP POST request handler component, within the function formSetSafeWanWebMan located in the /goform/SetRemoteWebCfg endpoint. The vulnerability arises due to improper handling and validation of the remoteIp argument, which an attacker can manipulate to overflow the stack buffer. This overflow can lead to arbitrary code execution or cause the device to crash, resulting in denial of service. The vulnerability is remotely exploitable without requiring user interaction or prior authentication, making it highly dangerous. The CVSS 4.0 base score is 8.7, reflecting high severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The vulnerability affects the confidentiality, integrity, and availability of the device, as an attacker could gain control over the router or disrupt its operation. Although no public exploits are currently known to be actively used in the wild, the exploit details have been publicly disclosed, increasing the risk of imminent exploitation. The Tenda AC9 is a widely used consumer-grade Wi-Fi 6 router, often deployed in home and small office environments, which could be leveraged as a pivot point for broader network attacks if compromised.

For European organizations, this vulnerability poses a significant risk, especially for small and medium enterprises (SMEs) and home office setups that rely on Tenda AC9 routers for internet connectivity. Successful exploitation could lead to full compromise of the router, allowing attackers to intercept, modify, or redirect network traffic, potentially leading to data breaches or lateral movement within corporate networks. The disruption of network availability could impact business continuity. Additionally, compromised routers could be conscripted into botnets for large-scale attacks such as DDoS campaigns, indirectly affecting European internet infrastructure. The lack of authentication and user interaction requirements means attackers can target these devices en masse, increasing the scale of potential impact. Given the increasing adoption of remote work in Europe, vulnerable home routers represent a critical attack surface that could be exploited to bypass corporate security controls.

Immediate mitigation should focus on updating the Tenda AC9 firmware to a patched version once released by the vendor. Until a patch is available, organizations should implement network-level protections such as blocking inbound HTTP POST requests to the /goform/SetRemoteWebCfg endpoint from untrusted networks via firewall rules. Network segmentation should be enforced to isolate vulnerable routers from critical internal systems. Monitoring network traffic for unusual POST requests targeting the affected endpoint can help detect exploitation attempts. Disabling remote management features on the router, if not required, will reduce exposure. Additionally, organizations should consider replacing vulnerable Tenda AC9 devices with alternative routers that have a stronger security posture. Regular vulnerability scanning and asset inventory management will help identify and track affected devices. Finally, educating users about the risks of using outdated router firmware and encouraging timely updates is essential.