CVE-2025-5861 is a critical buffer overflow vulnerability identified in the Tenda AC7 router, specifically in firmware version 15.03.06.44. The vulnerability resides in the function 'fromadvsetlanip' within the '/goform/AdvSetLanip' endpoint. The flaw is triggered by manipulating the 'lanMask' argument, which leads to a buffer overflow condition. This vulnerability is exploitable remotely without requiring user interaction or prior authentication, making it highly dangerous. The CVSS 4.0 score of 8.7 reflects its high severity, with an attack vector classified as network (AV:N), low attack complexity (AC:L), no privileges required (PR:L), and no user interaction (UI:N). The impact on confidentiality, integrity, and availability is high, indicating that successful exploitation could allow an attacker to execute arbitrary code, potentially leading to full system compromise, data leakage, or denial of service. Although no known exploits are currently observed in the wild, the public disclosure of the exploit increases the risk of imminent attacks. The vulnerability affects a widely used consumer and small office router model, which is often deployed in home and small business environments, potentially serving as a pivot point for attackers to infiltrate larger networks.

For European organizations, the impact of this vulnerability can be significant, especially for small and medium enterprises (SMEs) and home office setups that rely on Tenda AC7 routers for network connectivity. Exploitation could lead to unauthorized access to internal networks, interception or manipulation of sensitive data, and disruption of network services. Given the router's role as a gateway device, attackers could leverage this vulnerability to establish persistent footholds, launch lateral movement attacks, or exfiltrate confidential information. The widespread use of Tenda devices in residential and small business environments across Europe increases the attack surface. Additionally, critical infrastructure or organizations with remote workers using vulnerable routers may face increased risks. The lack of a patch at the time of disclosure further exacerbates the threat, necessitating immediate mitigation to prevent exploitation.

Organizations should immediately identify and inventory all Tenda AC7 routers running firmware version 15.03.06.44 within their networks. Since no official patch is currently available, temporary mitigations include isolating these devices from critical network segments and restricting remote access to the router management interface, especially from untrusted networks. Network-based intrusion detection and prevention systems (IDS/IPS) should be configured to monitor and block suspicious traffic targeting the '/goform/AdvSetLanip' endpoint or anomalous HTTP POST requests containing crafted 'lanMask' parameters. Administrators should enforce strong network segmentation and consider replacing vulnerable devices with models from vendors with timely security support. Regularly monitoring vendor announcements for firmware updates and applying patches promptly once available is critical. Additionally, educating users about the risks of exposing router management interfaces to the internet and enforcing strong administrative credentials can reduce exploitation likelihood.