CVE-2025-5862 is a critical buffer overflow vulnerability identified in the Tenda AC7 router, specifically affecting firmware version 15.03.06.44. The vulnerability resides in the function formSetPPTPUserList within the /goform/setPptpUserList endpoint. This function improperly handles input arguments, allowing an attacker to manipulate the argument list and trigger a buffer overflow condition. Buffer overflow vulnerabilities can lead to arbitrary code execution, denial of service, or system compromise. The vulnerability is remotely exploitable without requiring user interaction or prior authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The CVSS 4.0 base score is 8.7, reflecting a high severity level due to the potential for complete compromise of the device's confidentiality, integrity, and availability. The vulnerability affects the router's PPTP user list management functionality, which is critical for VPN user configurations. Although no known exploits are currently observed in the wild, public disclosure of the exploit code increases the risk of active exploitation. The lack of available patches at the time of publication further elevates the threat. Given the router's role as a network gateway device, successful exploitation could allow attackers to intercept, manipulate, or disrupt network traffic, pivot into internal networks, or establish persistent footholds.

For European organizations, the exploitation of CVE-2025-5862 poses significant risks. The Tenda AC7 router is commonly used in small to medium-sized enterprises and residential environments, which may have less rigorous network security controls. Compromise of these routers could lead to unauthorized access to internal networks, data exfiltration, or disruption of business operations. Given the router's VPN configuration functionality is affected, attackers might manipulate VPN user lists to gain unauthorized remote access, undermining secure communications. This is particularly concerning for organizations relying on PPTP VPNs for remote connectivity, despite PPTP's known weaknesses. The vulnerability could also be leveraged as a foothold for broader attacks, including lateral movement and deployment of malware or ransomware. The high severity and remote exploitability without authentication mean that attackers can target vulnerable devices en masse, potentially impacting critical infrastructure or sensitive data within European organizations. Furthermore, the public availability of exploit code increases the likelihood of opportunistic attacks, especially against organizations that have not updated or replaced vulnerable devices.

To mitigate CVE-2025-5862, European organizations should prioritize the following actions: 1) Immediately identify and inventory all Tenda AC7 routers running firmware version 15.03.06.44 within their networks. 2) Apply any available firmware updates or patches from Tenda as soon as they are released. In the absence of official patches, consider disabling the PPTP VPN functionality or the vulnerable /goform/setPptpUserList endpoint if possible. 3) Restrict remote management access to the router, ideally limiting it to trusted IP addresses or disabling remote administration entirely. 4) Implement network segmentation to isolate vulnerable devices from critical network segments, reducing the potential impact of compromise. 5) Monitor network traffic for unusual activity related to PPTP VPN connections or attempts to access the vulnerable endpoint. 6) Consider replacing Tenda AC7 devices with more secure alternatives if patching is not feasible or timely. 7) Educate IT staff about the risks associated with PPTP VPNs and encourage migration to more secure VPN protocols such as OpenVPN or IPsec. 8) Employ intrusion detection/prevention systems (IDS/IPS) to detect exploitation attempts targeting this vulnerability.