CVE-2025-7914 is a critical buffer overflow vulnerability identified in the Tenda AC6 router, specifically in firmware version 15.03.06.50. The flaw exists within the 'setparentcontrolinfo' function of the embedded HTTP daemon (httpd) component. This function is responsible for handling parental control settings on the device. Due to improper bounds checking or input validation, an attacker can craft a malicious request to this function that overflows a buffer, potentially overwriting adjacent memory. This memory corruption can lead to arbitrary code execution or cause the device to crash, resulting in denial of service. The vulnerability is remotely exploitable without requiring user interaction or prior authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The attack complexity is low, and the impact on confidentiality, integrity, and availability is high, as an attacker could gain control over the router or disrupt network services. Although no known exploits are currently reported in the wild, the critical nature and ease of exploitation make this a significant threat to affected devices. The lack of available patches at the time of publication further increases the risk for users of this firmware version.

For European organizations, this vulnerability poses a substantial risk, especially for small and medium enterprises or home office environments that rely on Tenda AC6 routers for network connectivity. Successful exploitation could allow attackers to gain control over the router, enabling interception or manipulation of network traffic, deployment of malware, or pivoting into internal networks. This could compromise sensitive data confidentiality and integrity, disrupt business operations through denial of service, and undermine trust in network infrastructure. Given the router's role as a gateway device, exploitation could also facilitate broader attacks against connected systems. The impact is particularly critical in sectors with stringent data protection requirements, such as finance, healthcare, and critical infrastructure, where network compromise can have severe regulatory and operational consequences.

Organizations should immediately identify any Tenda AC6 routers running firmware version 15.03.06.50 within their networks. Since no patches are currently available, mitigation should focus on network-level controls: restrict remote access to router management interfaces by implementing firewall rules that limit access to trusted IP addresses; disable remote management features if not required; monitor network traffic for anomalous HTTP requests targeting parental control functions; and segment the network to isolate critical assets from potentially compromised devices. Additionally, organizations should engage with Tenda support channels to obtain information on forthcoming patches or firmware updates addressing this vulnerability. Where feasible, consider replacing affected devices with models from vendors with a stronger security track record or with timely patch management. Finally, maintain up-to-date backups and incident response plans to quickly recover from potential exploitation.