Introduction
Remote attackers can take control of Tenda AC20 routers in home and office networks by exploiting a buffer overflow in the parental control interface. The public availability of exploit code and the lack of authentication requirements make this a significant risk for any unpatched device running affected firmware.
Tenda is a major manufacturer of consumer and small business networking equipment, with a global presence and millions of deployed devices. The AC20 is a popular dual-band router model commonly found in residential and small office environments. Tenda's product line has been repeatedly affected by memory safety and input validation vulnerabilities, raising concerns about systemic security practices.
Technical Information
CVE-2025-10120 is a stack-based buffer overflow in Tenda AC20 routers running firmware up to 16.03.08.12. The vulnerability resides in the web management interface, specifically in the handler for the /goform/GetParentControlInfo
endpoint. When processing an HTTP POST request, the firmware copies the user-supplied mac
parameter into a fixed-size stack buffer using the strcpy
function. Since strcpy
does not check the length of the source string, a long mac
value will overflow the buffer, potentially overwriting the function's return address and enabling remote code execution.
The root cause is the lack of input validation and the unsafe use of strcpy
for copying externally supplied data. This is a textbook example of CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input). The endpoint is exposed via the web interface, and no authentication is required to trigger the flaw.
Similar vulnerabilities have been reported in other endpoints and Tenda models, often involving the same pattern of unsafe string handling and missing bounds checks. The exploitability is high due to the remote attack surface and the absence of authentication.
Affected Systems and Versions
- Tenda AC20 routers running firmware up to 16.03.08.12
- The vulnerable endpoint is
/goform/GetParentControlInfo
- All configurations exposing the web management interface are at risk
Vendor Security History
Tenda has a documented history of memory safety and input validation flaws in its router firmware. Notable recent vulnerabilities include:
- CVE-2025-8160: Buffer overflow in
/goform/SetSysTimeCfg
(AC20, up to 16.03.08.12) - CVE-2025-8940: Buffer overflow in
/goform/saveParentControlInfo
(AC20, up to 16.03.08.12) - CVE-2025-9090: Command injection in
/goform/telnet
(AC20, 16.03.08.12) - CVE-2025-9523: Stack buffer overflow in
GetParentControlInfo
(AC1206)
Patch response times have been inconsistent, and similar vulnerabilities have recurred across multiple product lines and firmware versions. Tenda's communication and disclosure practices have not always provided timely or detailed guidance to users.