CVE-2025-6886 is a critical stack-based buffer overflow vulnerability identified in the Tenda AC5 router firmware version 15.03.06.47. The vulnerability arises from improper handling of input parameters, specifically schedStartTime and schedEndTime, within the /goform/openSchedWifi endpoint. This endpoint appears to be related to scheduling Wi-Fi access, and the flawed input validation allows an attacker to overflow the stack buffer by manipulating these parameters. The overflow can lead to arbitrary code execution or cause the device to crash, resulting in denial of service. Notably, the vulnerability can be exploited remotely without requiring user interaction or prior authentication, increasing its risk profile. The CVSS 4.0 score of 8.7 reflects high severity, with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The vulnerability impacts confidentiality, integrity, and availability, as an attacker could potentially execute arbitrary code, disrupt network connectivity, or gain unauthorized access to network traffic. Although no public exploits are currently observed in the wild, the disclosure of the exploit code increases the likelihood of exploitation attempts. The lack of an official patch at the time of publication further elevates the risk for affected users. Given that Tenda AC5 is a consumer and small office/home office (SOHO) router, the vulnerability poses a significant threat to network security, especially in environments relying on this device for internet access and internal network segmentation.

For European organizations, especially small and medium enterprises (SMEs) and home offices using Tenda AC5 routers, this vulnerability can lead to severe consequences. Successful exploitation could allow attackers to gain control over the router, intercept or manipulate network traffic, and potentially pivot to internal networks, compromising sensitive data and disrupting business operations. The remote and unauthenticated nature of the exploit means attackers can target these devices en masse, potentially leading to widespread outages or use of compromised routers in botnets for further attacks. This is particularly concerning for organizations with remote workers relying on these routers for secure connectivity. Additionally, the compromise of network infrastructure devices like routers can undermine trust in organizational cybersecurity measures and lead to regulatory compliance issues under GDPR if personal data is exposed or intercepted.

Given the absence of an official patch, European organizations should implement immediate compensating controls. These include isolating Tenda AC5 devices from direct exposure to the internet by placing them behind firewalls or NAT devices that restrict access to the /goform/openSchedWifi endpoint. Network administrators should disable remote management features on these routers if enabled. Monitoring network traffic for unusual requests targeting the vulnerable endpoint can help detect exploitation attempts early. Organizations should also consider replacing affected Tenda AC5 routers with models from vendors with timely security update practices. Applying strict network segmentation to limit the impact of a compromised router and enforcing strong network access controls will reduce risk. Finally, staying informed about vendor updates and applying patches promptly once available is critical.