Tenda AC7 CVE-2025-11528: Brief Summary of a Stack-Based Buffer Overflow Vulnerability

This post provides a brief summary of CVE-2025-11528, a stack-based buffer overflow vulnerability in Tenda AC7 router firmware 15.03.06.44. It covers the technical mechanism, affected versions, and relevant vendor security history based on available public information.
CVE Analysis

9 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-08

Tenda AC7 CVE-2025-11528: Brief Summary of a Stack-Based Buffer Overflow Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction - Engaging opening that highlights real impact and significance

Remote attackers can gain control over Tenda AC7 routers running firmware version 15.03.06.44 by exploiting a stack-based buffer overflow in the web management interface. With public exploit code available, this vulnerability exposes consumer and small business networks to code execution risks and device compromise.

Tenda is a widely recognized manufacturer of consumer and small business networking equipment, with a global presence and millions of devices deployed. The AC7 is a popular wireless router model, and vulnerabilities in its firmware can have significant impact on home and office network security.

Technical Information

CVE-2025-11528 is a stack-based buffer overflow vulnerability in the Tenda AC7 router firmware version 15.03.06.44. The issue resides in the /goform/saveAutoQos endpoint, which is part of the router's web management interface. When processing HTTP POST requests to this endpoint, the firmware parses the enable parameter and stores its value in a fixed-size buffer allocated on the stack. However, the implementation fails to properly check the length of the user-supplied enable value before copying it into the buffer.

If an attacker submits an oversized value for the enable parameter, the buffer is overflowed. This can overwrite adjacent memory on the stack, including the function's return address. As a result, an attacker can potentially redirect execution flow and achieve remote code execution on the device. The vulnerability is classified under CWE-121 (Stack-based Buffer Overflow) and CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer). The attack can be performed remotely via network access to the web interface, and does not require prior authentication if the management interface is exposed.

Public exploit code for this vulnerability is available, which demonstrates how to trigger the overflow and potentially execute arbitrary code. No official patch or detection guidance has been published as of the time of writing.

Affected Systems and Versions

  • Product: Tenda AC7 wireless router
  • Firmware version: 15.03.06.44
  • The vulnerability affects the /goform/saveAutoQos endpoint
  • Only this specific firmware version is confirmed to be affected based on public sources

Vendor Security History

Tenda has a documented history of buffer overflow vulnerabilities in its router products, often involving the /goform/ endpoints. Previous CVEs such as CVE-2025-11325, CVE-2025-11327, and CVE-2025-11123 describe similar stack-based buffer overflows in other Tenda models and firmware versions. The vendor's response to these issues has been inconsistent, with delays or lack of official advisories and patches for several critical vulnerabilities. This pattern suggests ongoing challenges in secure coding practices and vulnerability management within Tenda's development process.

References

Detect & fix
what others miss