CVE-2025-9023 is a high-severity buffer overflow vulnerability affecting Tenda AC7 and AC18 routers running firmware versions 15.03.05.19 and 15.03.06.44. The flaw exists in the formSetSchedLed function within the /goform/SetLEDCfg endpoint. Specifically, the vulnerability arises from improper handling of the 'Time' argument, which can be manipulated to cause a buffer overflow condition. This vulnerability is exploitable remotely without authentication or user interaction, as the affected endpoint is accessible over the network. The CVSS 4.0 base score is 8.7, reflecting the high impact on confidentiality, integrity, and availability, with low attack complexity and no privileges or user interaction required. Successful exploitation could allow an attacker to execute arbitrary code on the device, potentially leading to full compromise of the router. This could enable attackers to intercept or manipulate network traffic, disrupt network availability, or use the device as a foothold for further attacks within the network. Although no known exploits are currently observed in the wild, the public disclosure of the exploit code increases the risk of imminent attacks. The vulnerability affects widely deployed consumer and small business routers, which are often used as gateways in home and office networks, making this a critical concern for network security.

For European organizations, this vulnerability poses significant risks. Many enterprises and small businesses rely on Tenda routers for network connectivity, especially in small office/home office (SOHO) environments. Exploitation could lead to unauthorized access to internal networks, interception of sensitive communications, and disruption of business operations. Given the remote exploitability without authentication, attackers can target vulnerable devices directly from the internet, increasing the attack surface. This can facilitate lateral movement into corporate networks or enable attackers to launch further attacks such as man-in-the-middle, data exfiltration, or ransomware deployment. The impact is particularly severe for organizations handling sensitive personal data or critical infrastructure, as compromise could lead to data breaches or operational outages. Additionally, compromised routers can be conscripted into botnets, amplifying threats to broader internet stability and security within Europe.

To mitigate this vulnerability, European organizations should first identify all Tenda AC7 and AC18 routers running the affected firmware versions (15.03.05.19 and 15.03.06.44) within their networks. Immediate steps include isolating these devices from untrusted networks and restricting remote management access to trusted IPs only. Network segmentation should be enforced to limit the impact of any potential compromise. Since no official patches are currently available, organizations should monitor Tenda's security advisories closely for firmware updates addressing this issue and apply them promptly once released. As an interim measure, disabling the LED scheduling feature or blocking access to the /goform/SetLEDCfg endpoint via firewall rules can reduce exposure. Employing network intrusion detection systems (NIDS) to monitor for suspicious traffic targeting this endpoint is recommended. Additionally, organizations should educate users about the risks and encourage regular firmware updates as a best practice. Finally, consider deploying network-level protections such as VPNs and strong authentication to reduce exposure of management interfaces.