CVE-2025-9087 is a high-severity stack-based buffer overflow vulnerability identified in the Tenda AC20 router firmware version 16.03.08.12. The flaw exists in the function set_qosMib_list within the /goform/SetNetControlList endpoint. This endpoint processes network control list parameters, and improper handling of the argument list allows an attacker to overflow a stack buffer. The vulnerability can be exploited remotely without requiring user interaction or prior authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). Successful exploitation can lead to arbitrary code execution with elevated privileges, compromising the confidentiality, integrity, and availability of the affected device. The exploit has been publicly disclosed, increasing the risk of exploitation, although no known exploits are currently observed in the wild. Given the critical role of routers in network infrastructure, exploitation could allow attackers to intercept, manipulate, or disrupt network traffic, pivot to internal networks, or establish persistent footholds.

For European organizations, this vulnerability poses a significant risk due to the widespread use of Tenda AC20 routers in small to medium enterprises and home office environments. Compromise of these routers could lead to unauthorized access to internal networks, data interception, and disruption of business operations. Critical sectors such as finance, healthcare, and government agencies that rely on secure network infrastructure could face data breaches or service outages. Additionally, compromised routers could be leveraged as part of botnets or for launching further attacks within European networks, amplifying the threat landscape. The remote and unauthenticated nature of the exploit increases the likelihood of attacks, especially in organizations with limited network segmentation or outdated firmware management practices.

Organizations should immediately identify all Tenda AC20 devices running firmware version 16.03.08.12 and prioritize their remediation. Since no official patch links are currently available, mitigation should include: 1) Restricting access to the router management interfaces by implementing network-level controls such as firewall rules to limit access only to trusted IP addresses; 2) Disabling remote management features if not required; 3) Monitoring network traffic for unusual activity indicative of exploitation attempts; 4) Employing intrusion detection/prevention systems with signatures for this vulnerability once available; 5) Planning and executing firmware upgrades as soon as vendor patches are released; 6) For critical environments, consider temporary replacement of affected devices with alternative hardware until patched. Additionally, organizations should enforce strong network segmentation to limit the impact of any compromised device.