Introduction
Remote attackers can take control of Tenda AC20 routers running older firmware by exploiting a critical buffer overflow in the web management interface. This flaw enables unauthenticated code execution or denial of service, putting small office and home networks at significant risk if left unaddressed.
Tenda is a globally recognized vendor of networking hardware, with a wide range of routers, switches, and wireless devices deployed in consumer and SMB environments. The AC20 is a dual-band router model popular for its affordability and feature set, making it a common choice for small businesses and home users worldwide. Tenda's broad market reach means vulnerabilities in its products can have a substantial impact on network security for a large user base.
Technical Information
The vulnerability resides in the httpd component of Tenda AC20 routers running firmware versions up to and including 16.03.08.12. Specifically, the flaw affects the /goform/SetSysTimeCfg endpoint, which is accessible via HTTP POST requests. The endpoint processes the timeZone parameter provided by clients.
The root cause is insufficient bounds checking when copying the timeZone value into a fixed-size stack buffer. Public analysis indicates that unsafe string handling functions (such as strcpy) are likely used, allowing an attacker to supply an overly long timeZone value. When this occurs, the buffer overflow can corrupt adjacent memory, including the function's return address or other stack variables. This enables remote code execution or can crash the web server process, resulting in denial of service.
The attack can be performed remotely and does not require authentication. An attacker simply needs to craft an HTTP POST request to the vulnerable endpoint with a maliciously long timeZone parameter. Exploit details have been made public, which increases the likelihood of this vulnerability being targeted in the wild.
Affected Systems and Versions
- Tenda AC20 routers with firmware versions up to and including 16.03.08.12
- Only the
/goform/SetSysTimeCfgendpoint in the httpd component is confirmed as vulnerable - No information is available about other Tenda models or firmware versions
Vendor Security History
Tenda has a documented history of similar vulnerabilities in its router products. For example, CVE-2025-8131 describes a stack-based buffer overflow in the AC20 model via the /goform/SetStaticRouteCfg endpoint. CVE-2025-6887 affects the AC5 router in a similar fashion, with a buffer overflow in the /goform/SetSysTimeCfg endpoint. These recurring issues suggest persistent challenges in the secure handling of user input in Tenda's web management interfaces. Vendor response times to past vulnerabilities have varied, and as of this writing, there is no confirmed patch or mitigation for CVE-2025-8160.