CVE-2025-9087 is a high-severity stack-based buffer overflow vulnerability identified in the Tenda AC20 router, specifically in firmware version 16.03.08.12. The flaw exists in the function set_qosMib_list within the /goform/SetNetControlList endpoint. This function improperly handles the argument list, allowing an attacker to overflow the stack buffer. The vulnerability can be exploited remotely without requiring user interaction or prior authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). Successful exploitation could lead to arbitrary code execution on the device, compromising confidentiality, integrity, and availability. The vulnerability has been publicly disclosed, and although no known exploits are currently observed in the wild, the availability of exploit details increases the risk of active exploitation. The vulnerability does not require user interaction but does require low privileges (PR:L), which in the context of a router’s web interface may correspond to access to certain management functions. Given the nature of the vulnerability, attackers could potentially gain control over the router, manipulate network traffic, disrupt services, or use the device as a foothold for further network attacks. The lack of an official patch link suggests that users and administrators must be vigilant and seek firmware updates or mitigations from Tenda promptly.

For European organizations, this vulnerability poses significant risks due to the widespread use of Tenda AC20 routers in small to medium business and home office environments. Compromise of these routers can lead to interception and manipulation of sensitive data, disruption of network services, and potential lateral movement within corporate networks. Given the router’s role as a network gateway, attackers could bypass perimeter defenses, exfiltrate confidential information, or launch further attacks against internal systems. The high CVSS score reflects the critical impact on confidentiality, integrity, and availability. Additionally, the remote exploitability without user interaction increases the threat level, making automated attacks and worm-like propagation feasible. Organizations relying on Tenda AC20 devices without timely firmware updates or mitigations face increased exposure to espionage, data breaches, and operational disruptions, which are particularly sensitive under stringent European data protection regulations such as GDPR.

Immediate mitigation steps include isolating affected Tenda AC20 devices from critical network segments and restricting remote management access to trusted IPs or VPNs. Network administrators should monitor router logs for unusual activity related to the /goform/SetNetControlList endpoint and implement intrusion detection signatures targeting exploit attempts. Since no official patch is currently linked, organizations should contact Tenda support for firmware updates or advisories. As a temporary measure, disabling QoS management features or the vulnerable endpoint, if feasible, can reduce attack surface. Employ network segmentation to limit the impact of a compromised router and enforce strict access controls on router management interfaces. Regularly update router firmware once patches are released and conduct vulnerability scans to identify affected devices. Additionally, educating users about the risks and ensuring that default credentials are changed can help prevent unauthorized access.