CVE-2025-5853 is a critical stack-based buffer overflow vulnerability identified in the Tenda AC6 router, specifically in version 15.03.05.16. The flaw exists within the function formSetSafeWanWebMan located in the /goform/SetRemoteWebCfg endpoint. This vulnerability arises from improper handling of the remoteIp argument, which allows an attacker to overflow the stack buffer by sending a specially crafted request. Because the vulnerability is remotely exploitable without requiring user interaction or authentication, an attacker can potentially execute arbitrary code on the affected device. The CVSS 4.0 score of 8.7 (high severity) reflects the vulnerability's network attack vector, low attack complexity, and no need for privileges or user interaction, combined with high impacts on confidentiality, integrity, and availability. Although no known exploits have been observed in the wild yet, the public disclosure of the exploit code increases the risk of active exploitation. The vulnerability affects a widely used consumer and small office/home office (SOHO) router model, which is often deployed in home and small business networks. Successful exploitation could allow attackers to gain control over the router, intercept or manipulate network traffic, disrupt internet connectivity, or pivot to internal networks, posing significant security risks.

For European organizations, the exploitation of this vulnerability could lead to severe consequences. Many small businesses and home offices in Europe rely on Tenda AC6 routers for internet connectivity. Compromise of these devices could result in unauthorized access to internal networks, data interception, or disruption of services. This is particularly critical for organizations handling sensitive personal data under GDPR, as breaches could lead to regulatory penalties and reputational damage. Additionally, compromised routers could be leveraged as entry points for broader attacks, including lateral movement within corporate networks or launching distributed denial-of-service (DDoS) attacks. The lack of authentication and remote exploitability means attackers can target these devices en masse, increasing the scale and speed of potential attacks. The impact extends beyond confidentiality to integrity and availability, threatening business continuity and data protection obligations.

To mitigate this vulnerability, European organizations and users should immediately verify if their Tenda AC6 routers are running the affected firmware version 15.03.05.16. Since no official patch links are currently provided, users should monitor Tenda’s official support channels for firmware updates addressing CVE-2025-5853 and apply them promptly once available. In the interim, network administrators should restrict remote WAN access to router management interfaces by disabling remote web management or limiting access via firewall rules to trusted IP addresses only. Employing network segmentation to isolate routers from critical internal systems can reduce risk. Regularly updating router firmware and changing default credentials remain essential best practices. Additionally, monitoring network traffic for unusual activity and deploying intrusion detection systems can help identify exploitation attempts. Organizations should also consider replacing vulnerable devices if patches are delayed or unavailable.