How ZeroPath Works
Back to Blog

Tenda AC1206 CVE-2025-9523 Stack Buffer Overflow: Brief Summary and Technical Review

A brief summary and technical review of CVE-2025-9523, a critical stack-based buffer overflow in Tenda AC1206 routers (firmware 15.03.06.23). This post covers technical details, affected versions, and vendor security history based on public sources.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-08-27

Tenda AC1206 CVE-2025-9523 Stack Buffer Overflow: Brief Summary and Technical Review
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Remote compromise of consumer routers can enable attackers to intercept traffic, pivot into internal networks, and persist undetected for months. The recent public exploit for CVE-2025-9523 in Tenda AC1206 routers highlights a critical risk for home and small business networks relying on this hardware.

About Tenda: Tenda is a global networking hardware manufacturer with a broad portfolio of wireless routers, switches, and related products. Their devices are widely deployed in consumer and SMB environments, making vulnerabilities in their firmware a significant concern for network security at scale. Tenda has a history of recurring security issues, including hard-coded credentials and multiple buffer overflow vulnerabilities.

Technical Information

CVE-2025-9523 is a stack-based buffer overflow in the GetParentControlInfo function of the Tenda AC1206 router firmware version 15.03.06.23. The vulnerability is triggered via the /goform/GetParentControlInfo HTTP endpoint, specifically through manipulation of the mac parameter.

Vulnerability mechanism:

  • The GetParentControlInfo function is intended to retrieve parental control information based on the MAC address of a connected device.
  • The mac parameter from the HTTP request is copied into a fixed-size stack buffer without proper bounds checking.
  • If an attacker supplies an overly long mac value, the buffer is overrun, overwriting adjacent stack memory including the function's return address.
  • This enables remote, unauthenticated arbitrary code execution on the device.

Root cause:

  • Lack of input validation on the mac parameter in the GetParentControlInfo function.
  • Insecure memory handling (stack buffer overflow) due to copying user input into a fixed-size buffer without length checks.

Related vulnerabilities:

  • Similar buffer overflows have been reported in Tenda AC8 (heap overflow in the same endpoint) and AC15 (GetParentControlInfo function), indicating a recurring implementation flaw across Tenda router models.

No public vulnerable code snippet is available in the sources referenced.

Affected Systems and Versions

  • Product: Tenda AC1206 router
  • Firmware version: 15.03.06.23
  • Only this specific firmware version is confirmed as affected in public sources
  • The vulnerability is present in the /goform/GetParentControlInfo endpoint, triggered via the mac parameter

Vendor Security History

  • Tenda has a documented history of security issues, including:
    • Hard-coded credentials in AC15 routers (no firmware update since 2017)
    • Multiple buffer overflow vulnerabilities across AC8, AC15, and other models
    • Slow or absent response to vulnerability disclosures
    • Several Tenda vulnerabilities are listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation
  • Security maturity is considered low based on public research and patch response records

References

Detect & fix
what others miss

Get startedBook a demo