Introduction
Remote attackers can gain code execution on Tenda AC7 routers by exploiting a stack-based buffer overflow in the Dynamic DNS configuration endpoint. With public exploits available and no official patch, this vulnerability exposes home and small business networks to compromise via a single crafted HTTP request.
About Tenda: Tenda is a major Chinese networking equipment manufacturer with a global presence. The company offers a wide range of consumer and SMB routers, access points, and switches. Tenda devices are deployed in millions of homes and small businesses worldwide, making vulnerabilities in their firmware highly impactful for the broader IoT ecosystem.
Technical Information
CVE-2025-11524 targets the Tenda AC7 router running firmware version 15.03.06.44. The vulnerability resides in the /goform/SetDDNSCfg HTTP endpoint, which handles Dynamic DNS configuration changes. Specifically, the endpoint processes a parameter named ddnsEn without proper bounds checking.
When a remote attacker submits an HTTP POST request to /goform/SetDDNSCfg with an overly long value for the ddnsEn parameter, the firmware copies this value into a fixed-size stack buffer. Due to the lack of length validation, this operation can overwrite adjacent stack memory, including control data such as return addresses. This allows the attacker to hijack execution flow and potentially run arbitrary code on the device.
The flaw is categorized as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow). Publicly available exploit code demonstrates that the attack is feasible and can be performed remotely, provided the attacker can reach the router's management interface.
No official code snippet from the vendor or public advisories is available, but the vulnerability mechanism is confirmed by multiple independent sources and public exploit documentation.
Affected Systems and Versions
- Product: Tenda AC7 wireless router
- Firmware version: 15.03.06.44 (latest known release)
- Endpoint:
/goform/SetDDNSCfg - Parameter:
ddnsEn - All configurations exposing the web management interface are vulnerable
Vendor Security History
Tenda has a documented history of critical vulnerabilities in its router firmware, including:
- Stack-based buffer overflows in other endpoints (e.g., CVE-2025-1851, CVE-2025-29137)
- Command injection vulnerabilities (e.g., CVE-2024-48826)
- Hardcoded credentials and weak authentication mechanisms
Security researchers have reported slow or absent responses to vulnerability disclosures. Some Tenda models have not received firmware updates for several years, raising concerns about long-term support and vendor security maturity.
