Introduction
Remote attackers can now exploit a critical memory flaw in Tenda AC20 routers to gain code execution or disrupt network operations. With exploit code already public and no authentication required, this vulnerability puts millions of home and small business networks at risk if left unaddressed.
About Tenda: Tenda is a major global provider of consumer and SMB networking equipment, with millions of routers and wireless devices deployed worldwide. The AC20 is one of their popular dual-band gigabit router models, widely used in residential and small office environments. Tenda's product line includes a range of routers, switches, and mesh WiFi systems, making them a significant player in the affordable networking market segment.
Technical Information
CVE-2025-13258 is a stack-based buffer overflow in the Tenda AC20 router's web management interface, specifically in firmware versions up to 16.03.08.12. The vulnerability is present in the /goform/WifiExtraSet endpoint, which handles HTTP POST requests for advanced WiFi configuration.
The root cause is improper handling of the wpapsk_crypto parameter. When a POST request is made to /goform/WifiExtraSet, the firmware copies the user-supplied value of wpapsk_crypto into a fixed-size stack buffer without validating its length. This unsafe operation allows an attacker to supply an excessively long value, overflowing the buffer and corrupting adjacent memory. The overflow can overwrite critical stack data such as return addresses, enabling remote code execution or causing a denial of service.
This vulnerability is closely related to CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input). Similar flaws in Tenda routers have been traced to the use of unsafe functions like strcpy, which do not enforce length checks. No authentication is required to exploit this issue, and the attack can be performed remotely by sending a crafted HTTP POST request to the vulnerable endpoint. Public exploit code is available, lowering the barrier for attackers.
Affected Systems and Versions
- Product: Tenda AC20 router
- Firmware versions: Up to and including 16.03.08.12
- Vulnerable endpoint:
/goform/WifiExtraSet - Vulnerable parameter:
wpapsk_crypto - No authentication required for exploitation
Vendor Security History
Tenda has a documented history of buffer overflow and input validation vulnerabilities across multiple router models, including:
- AC20: Multiple buffer overflows in different endpoints (CVE-2025-8160, CVE-2025-10120, CVE-2025-8940)
- AC21, AC18, AC8, CH22, AC1206: Similar issues reported in recent years
Patch response times have been inconsistent. Some critical flaws have remained unpatched for extended periods, and vendor advisories are often limited or delayed. The repeated use of unsafe coding practices like unchecked string copying indicates ongoing security maturity challenges in Tenda's firmware development process.
