CVE-2025-65222 is a buffer overflow vulnerability identified in the Tenda AC21 router firmware version V16.03.08.16. The flaw exists in the handling of the rebootTime parameter within the /goform/SetSysAutoRebbotCfg HTTP endpoint, which is part of the router's web-based management interface. Buffer overflow vulnerabilities occur when input data exceeds the allocated buffer size, potentially overwriting adjacent memory and enabling attackers to execute arbitrary code or crash the system. In this case, an attacker can send a specially crafted HTTP request to the vulnerable endpoint, causing the buffer overflow. This could lead to remote code execution or denial of service (DoS) conditions on the router. The vulnerability does not require authentication, increasing the risk if the management interface is exposed externally or accessible to untrusted internal users. No public exploits or patches are currently available, and no CVSS score has been assigned yet. The vulnerability was reserved and published in November 2025, indicating recent discovery. The lack of patch links suggests that mitigation may rely on vendor updates or network controls. The router is commonly used in consumer and small business environments, which may lack robust security controls, increasing the risk of exploitation. Attackers exploiting this vulnerability could gain control over the router, intercept or manipulate network traffic, or disrupt network availability.

For European organizations, exploitation of this vulnerability could lead to significant network disruptions and compromise of network security. A successful attack could allow adversaries to execute arbitrary code on the router, potentially gaining persistent access to the network perimeter device. This could facilitate further lateral movement, interception of sensitive data, or disruption of services. Small and medium enterprises (SMEs) and home office environments using Tenda AC21 routers are particularly at risk due to potentially weaker network segmentation and security monitoring. The denial of service impact could cause network outages, affecting business continuity. Additionally, compromised routers could be leveraged as part of botnets or for launching attacks against other targets. The absence of authentication requirements for exploitation increases the threat level, especially if remote management interfaces are exposed to the internet. European organizations with remote workforce setups or less stringent network access controls may be more vulnerable. The impact on confidentiality, integrity, and availability is high given the router’s role as a gateway device.

1. Immediately restrict access to the router’s management interface by disabling remote management or limiting it to trusted IP addresses via firewall rules. 2. Monitor network traffic for unusual HTTP requests targeting /goform/SetSysAutoRebbotCfg or other suspicious activity indicative of exploitation attempts. 3. Apply any available firmware updates from Tenda as soon as they are released addressing this vulnerability. 4. If no patch is available, consider replacing vulnerable devices with models from vendors with active security support. 5. Implement network segmentation to isolate vulnerable routers from critical infrastructure and sensitive data. 6. Use intrusion detection/prevention systems (IDS/IPS) to detect and block exploit attempts targeting this vulnerability. 7. Educate IT staff and users about the risks of exposing router management interfaces to untrusted networks. 8. Regularly audit router configurations to ensure default credentials are changed and unnecessary services are disabled. 9. Employ network access control (NAC) to limit device connectivity based on security posture. 10. Maintain up-to-date asset inventories to quickly identify and remediate vulnerable devices.