Introduction
Remote attackers can gain code execution on Tenda AC21 routers by exploiting a buffer overflow in the static route configuration endpoint. This vulnerability, tracked as CVE-2025-11091, affects a widely deployed consumer and SMB router platform and has public exploit code available, raising the risk of compromise for unpatched devices.
Tenda is a major global provider of networking equipment, especially popular in cost-sensitive markets. The AC21 model is a dual-band wireless router used in homes and small businesses. Tenda's product line is broad, with millions of devices deployed worldwide, making vulnerabilities in their firmware highly impactful for network security.
Technical Information
CVE-2025-11091 is a stack-based buffer overflow vulnerability in the Tenda AC21 router firmware up to version 16.03.08.16. The flaw is located in the implementation of the /goform/SetStaticRouteCfg endpoint, specifically in how the firmware uses the sscanf function to parse user-supplied input from HTTP POST requests.
When a remote attacker sends a crafted POST request to /goform/SetStaticRouteCfg with an oversized argument list, the sscanf function processes the input without adequate bounds checking. This leads to a buffer overflow, potentially overwriting critical stack data such as return addresses or function pointers. The web server process on the router typically runs with elevated privileges, so successful exploitation can result in arbitrary code execution with high privileges.
The vulnerability is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input). The root cause is insufficient input validation and lack of buffer size checks in the use of sscanf for parsing configuration parameters.
No public code snippets from the firmware are available in the referenced sources, but the vulnerability mechanism is consistent with other Tenda router flaws where unchecked input to a parsing function leads to stack corruption. Public exploit code is available, which increases the risk of automated exploitation.
Affected Systems and Versions
- Product: Tenda AC21 router
- Firmware versions: Up to and including 16.03.08.16
- Vulnerable endpoint:
/goform/SetStaticRouteCfg - Vulnerable function:
sscanf(in processing argument list from HTTP POST)
Vendor Security History
Tenda has a documented history of buffer overflow vulnerabilities in its router firmware. Notable recent examples include:
- CVE-2025-9605: Stack buffer overflow in
/goform/GetParentControlInfo(mac parameter) - CVE-2025-10838: Buffer overflow in
/goform/WifiExtraSet(wpapsk_crypto argument) - CVE-2025-8160: Buffer overflow in AC20 model
Patch response times have varied, with some vulnerabilities remaining unpatched for significant periods. Tenda's security maturity is considered inconsistent compared to industry leaders. The recurring nature of these flaws suggests systemic issues in input validation and secure coding practices.