Tenda AC18 CVE-2025-11325: Brief Summary of a Stack-Based Buffer Overflow Vulnerability

A brief summary of CVE-2025-11325, a stack-based buffer overflow in Tenda AC18 firmware 15.03.05.19(6318) affecting the /goform/fast_setting_pppoe_set endpoint. This post covers technical details, affected versions, and vendor security history.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-05

Tenda AC18 CVE-2025-11325: Brief Summary of a Stack-Based Buffer Overflow Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Remote attackers can take control of Tenda AC18 routers running firmware 15.03.05.19(6318) by exploiting a stack-based buffer overflow in the PPPoE configuration interface. This vulnerability has a CVSS score of 8.8 and public exploit code is available, making it a high-priority risk for any organization or individual using these devices.

Tenda is a major global supplier of networking equipment, especially in the consumer and small business market. Their AC18 router is widely deployed in homes and small offices. The company has a history of firmware vulnerabilities, particularly buffer overflows, which have led to repeated security incidents affecting their products.

Technical Information

CVE-2025-11325 is a stack-based buffer overflow in the Tenda AC18 firmware version 15.03.05.19(6318). The flaw resides in the /goform/fast_setting_pppoe_set endpoint, which is used for configuring PPPoE connections via the router's web interface. When a remote attacker submits an HTTP POST request with an oversized Username parameter, the firmware copies this value into a stack-allocated buffer without proper bounds checking. This can overwrite critical stack data, such as return addresses, and potentially allow arbitrary code execution with the privileges of the router's web server process.

Key technical points:

  • Vulnerability is triggered by an oversized Username parameter in a POST request to /goform/fast_setting_pppoe_set
  • No authentication is required if the endpoint is exposed to the network
  • The overflow is stack-based, affecting control flow and enabling possible remote code execution
  • Public exploit code is available, making exploitation accessible to a wide range of attackers

No official patch or detection method has been published as of this writing.

Affected Systems and Versions

  • Product: Tenda AC18
  • Firmware: 15.03.05.19(6318)
  • Only this specific firmware version is confirmed affected based on available sources
  • The vulnerable endpoint is /goform/fast_setting_pppoe_set
  • Devices with the admin interface exposed to untrusted networks are at highest risk

Vendor Security History

Tenda has a documented history of buffer overflow and memory corruption vulnerabilities in its router firmware, especially in the AC18 product line. Examples include:

  • CVE-2022-38312: Stack overflow in another goform endpoint
  • Multiple buffer overflows documented in CVE Details
  • Patch response times have been slow, and security advisories are infrequent
  • Security maturity appears limited, with repeated similar vulnerabilities across firmware versions

References

Detect & fix
what others miss