CVE-2025-9605 is a critical security vulnerability identified in the Tenda AC21 and AC23 routers running firmware version 16.03.08.16. The flaw exists in the GetParentControlInfo function located at the /goform/GetParentControlInfo endpoint. Specifically, the vulnerability arises from improper handling of the 'mac' argument, which can be manipulated by an attacker to trigger a stack-based buffer overflow. This type of vulnerability allows an attacker to overwrite parts of the stack memory, potentially leading to arbitrary code execution, denial of service, or system compromise. The vulnerability is remotely exploitable without requiring any authentication or user interaction, making it highly dangerous. The CVSS v4.0 score of 9.3 reflects its critical severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact metrics indicate high confidentiality, integrity, and availability impacts, meaning successful exploitation could lead to full system compromise. Although no public exploits have been observed in the wild yet, the vulnerability has been publicly disclosed, increasing the risk of exploitation by threat actors. The absence of a patch link suggests that a vendor fix may not yet be available, emphasizing the urgency for mitigation. Given the nature of the vulnerability and the affected devices, attackers could leverage this flaw to gain control over the router, intercept or manipulate network traffic, or pivot into internal networks.

For European organizations, the impact of this vulnerability could be significant, especially for those relying on Tenda AC21 or AC23 routers in their network infrastructure. Compromise of these routers could lead to unauthorized access to sensitive internal networks, interception of confidential communications, and disruption of network availability. This is particularly critical for small and medium enterprises or branch offices that may use consumer-grade routers like Tenda devices without advanced security monitoring. The ability to remotely exploit the vulnerability without authentication means attackers can target exposed devices over the internet, increasing the risk of widespread attacks. Additionally, critical sectors such as finance, healthcare, and government agencies in Europe could face data breaches or operational disruptions if their network perimeter devices are compromised. The lack of a patch at the time of disclosure further exacerbates the risk, potentially leading to exploitation by cybercriminals or state-sponsored actors aiming to establish persistent footholds or conduct espionage.

1. Immediate Network Segmentation: Isolate Tenda AC21 and AC23 routers from critical network segments to limit potential lateral movement if compromised. 2. Disable Remote Management: If remote management features are enabled on these routers, disable them to reduce exposure to external attackers. 3. Access Control Lists (ACLs): Implement strict ACLs to restrict inbound traffic to router management interfaces only from trusted IP addresses. 4. Monitor Network Traffic: Deploy network intrusion detection systems (NIDS) to detect anomalous traffic patterns or exploitation attempts targeting the /goform/GetParentControlInfo endpoint. 5. Firmware Updates: Continuously monitor Tenda’s official channels for firmware patches addressing CVE-2025-9605 and apply updates promptly once available. 6. Device Replacement: For high-risk environments, consider replacing affected Tenda routers with models from vendors with a stronger security track record until patches are released. 7. Incident Response Preparedness: Prepare incident response plans specific to router compromise scenarios, including network isolation and forensic analysis. 8. Vendor Engagement: Engage with Tenda support to obtain timelines for patch releases and request security advisories to stay informed.