Tenda AC20 CVE-2025-10120 Buffer Overflow: Brief Technical Summary

A brief summary of CVE-2025-10120, a high-severity buffer overflow in Tenda AC20 routers up to firmware 16.03.08.12. This post covers affected versions, technical root cause, and vendor security history based on public information.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-09-08

Tenda AC20 CVE-2025-10120 Buffer Overflow: Brief Technical Summary
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Remote attackers can take control of Tenda AC20 routers in home and office networks by exploiting a buffer overflow in the parental control interface. The public availability of exploit code and the lack of authentication requirements make this a significant risk for any unpatched device running affected firmware.

Tenda is a major manufacturer of consumer and small business networking equipment, with a global presence and millions of deployed devices. The AC20 is a popular dual-band router model commonly found in residential and small office environments. Tenda's product line has been repeatedly affected by memory safety and input validation vulnerabilities, raising concerns about systemic security practices.

Technical Information

CVE-2025-10120 is a stack-based buffer overflow in Tenda AC20 routers running firmware up to 16.03.08.12. The vulnerability resides in the web management interface, specifically in the handler for the /goform/GetParentControlInfo endpoint. When processing an HTTP POST request, the firmware copies the user-supplied mac parameter into a fixed-size stack buffer using the strcpy function. Since strcpy does not check the length of the source string, a long mac value will overflow the buffer, potentially overwriting the function's return address and enabling remote code execution.

The root cause is the lack of input validation and the unsafe use of strcpy for copying externally supplied data. This is a textbook example of CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input). The endpoint is exposed via the web interface, and no authentication is required to trigger the flaw.

Similar vulnerabilities have been reported in other endpoints and Tenda models, often involving the same pattern of unsafe string handling and missing bounds checks. The exploitability is high due to the remote attack surface and the absence of authentication.

Affected Systems and Versions

  • Tenda AC20 routers running firmware up to 16.03.08.12
  • The vulnerable endpoint is /goform/GetParentControlInfo
  • All configurations exposing the web management interface are at risk

Vendor Security History

Tenda has a documented history of memory safety and input validation flaws in its router firmware. Notable recent vulnerabilities include:

  • CVE-2025-8160: Buffer overflow in /goform/SetSysTimeCfg (AC20, up to 16.03.08.12)
  • CVE-2025-8940: Buffer overflow in /goform/saveParentControlInfo (AC20, up to 16.03.08.12)
  • CVE-2025-9090: Command injection in /goform/telnet (AC20, 16.03.08.12)
  • CVE-2025-9523: Stack buffer overflow in GetParentControlInfo (AC1206)

Patch response times have been inconsistent, and similar vulnerabilities have recurred across multiple product lines and firmware versions. Tenda's communication and disclosure practices have not always provided timely or detailed guidance to users.

References

Detect & fix
what others miss