CVE-2025-5849 is a critical stack-based buffer overflow vulnerability identified in the Tenda AC15 router firmware version 15.03.05.19_multi. The flaw exists in the HTTP POST request handler, specifically within the function formSetSafeWanWebMan located in the /goform/SetRemoteWebCfg endpoint. The vulnerability arises from improper handling of the 'remoteIp' argument, which can be manipulated by an attacker to overflow the stack buffer. This overflow can lead to arbitrary code execution or cause the device to crash, resulting in denial of service. The vulnerability is remotely exploitable without requiring user interaction or prior authentication, making it highly dangerous. The CVSS 4.0 base score is 8.7, indicating a high severity level with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact on confidentiality, integrity, and availability is high, as successful exploitation can allow attackers to execute arbitrary code, potentially gaining control over the router, intercepting or redirecting network traffic, or disrupting network availability. Although no public exploits are currently known to be actively used in the wild, the public disclosure of the exploit code increases the risk of imminent attacks. The vulnerability affects a widely deployed consumer and small business router model, which is often used as a gateway device in home and office networks, making it a critical point of compromise if exploited.

For European organizations, the exploitation of this vulnerability could have significant consequences. Many small and medium enterprises (SMEs) and home offices rely on consumer-grade routers like the Tenda AC15 for internet connectivity. A compromised router can lead to interception of sensitive communications, unauthorized network access, and lateral movement within internal networks. This can result in data breaches, intellectual property theft, and disruption of business operations. Additionally, compromised routers can be enlisted into botnets for large-scale attacks such as distributed denial of service (DDoS), which can further impact organizational availability and reputation. Given the remote and unauthenticated nature of the exploit, attackers can target vulnerable devices en masse, increasing the risk of widespread impact across European networks. The potential for integrity and availability loss is particularly concerning for sectors with critical infrastructure or sensitive data, such as finance, healthcare, and government agencies.

To mitigate this vulnerability, organizations should prioritize the following actions: 1) Immediately identify and inventory all Tenda AC15 devices running firmware version 15.03.05.19_multi within their network. 2) Apply any available firmware updates or patches from Tenda as soon as they are released; if no official patch is available, consider temporarily disabling remote management features or restricting access to the /goform/SetRemoteWebCfg endpoint via firewall rules. 3) Implement network segmentation to isolate vulnerable devices from critical internal systems, limiting the potential impact of a compromise. 4) Monitor network traffic for unusual POST requests targeting the /goform/SetRemoteWebCfg endpoint, which may indicate exploitation attempts. 5) Employ intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics capable of detecting buffer overflow attempts against this endpoint. 6) Educate IT staff and users about the risks of using outdated router firmware and the importance of timely updates. 7) Consider replacing vulnerable devices with models that have a stronger security track record and ongoing vendor support if patching is not feasible.