Introduction
Remote attackers can take control of Tenda AC18 routers running firmware 15.03.05.19(6318) by exploiting a stack-based buffer overflow in the PPPoE configuration interface. This vulnerability has a CVSS score of 8.8 and public exploit code is available, making it a high-priority risk for any organization or individual using these devices.
Tenda is a major global supplier of networking equipment, especially in the consumer and small business market. Their AC18 router is widely deployed in homes and small offices. The company has a history of firmware vulnerabilities, particularly buffer overflows, which have led to repeated security incidents affecting their products.
Technical Information
CVE-2025-11325 is a stack-based buffer overflow in the Tenda AC18 firmware version 15.03.05.19(6318). The flaw resides in the /goform/fast_setting_pppoe_set
endpoint, which is used for configuring PPPoE connections via the router's web interface. When a remote attacker submits an HTTP POST request with an oversized Username
parameter, the firmware copies this value into a stack-allocated buffer without proper bounds checking. This can overwrite critical stack data, such as return addresses, and potentially allow arbitrary code execution with the privileges of the router's web server process.
Key technical points:
- Vulnerability is triggered by an oversized
Username
parameter in a POST request to/goform/fast_setting_pppoe_set
- No authentication is required if the endpoint is exposed to the network
- The overflow is stack-based, affecting control flow and enabling possible remote code execution
- Public exploit code is available, making exploitation accessible to a wide range of attackers
No official patch or detection method has been published as of this writing.
Affected Systems and Versions
- Product: Tenda AC18
- Firmware: 15.03.05.19(6318)
- Only this specific firmware version is confirmed affected based on available sources
- The vulnerable endpoint is
/goform/fast_setting_pppoe_set
- Devices with the admin interface exposed to untrusted networks are at highest risk
Vendor Security History
Tenda has a documented history of buffer overflow and memory corruption vulnerabilities in its router firmware, especially in the AC18 product line. Examples include:
- CVE-2022-38312: Stack overflow in another goform endpoint
- Multiple buffer overflows documented in CVE Details
- Patch response times have been slow, and security advisories are infrequent
- Security maturity appears limited, with repeated similar vulnerabilities across firmware versions