Introduction
Remote attackers can gain control of Tenda AC21 and AC23 routers running firmware 16.03.08.16 by exploiting a stack-based buffer overflow in the parental control interface. With a CVSS score of 9.8 and public proof-of-concept code available, this vulnerability exposes millions of consumer and SMB networks to code execution and device takeover.
Tenda is a major global manufacturer of networking equipment, with a wide range of routers deployed in homes and small businesses worldwide. The company has a history of recurring buffer overflow vulnerabilities across its product lines, raising concerns about the security maturity of its firmware development practices.
Technical Information
CVE-2025-9605 targets the GetParentControlInfo function in Tenda AC21 and AC23 routers, specifically firmware version 16.03.08.16. The vulnerability is present in the web management interface at the /goform/GetParentControlInfo endpoint. When a POST request is made with an overly long mac parameter, the function copies this value into a fixed-size stack buffer without proper bounds checking. This results in a stack-based buffer overflow (CWE-121), which can overwrite critical stack data such as return addresses, leading to arbitrary code execution.
The vulnerability is remotely exploitable and does not require authentication. The root cause is the lack of input validation and bounds checking on user-supplied data in a security-critical function. Similar vulnerabilities have been found in other Tenda routers, such as the AC1206 and AC20, indicating a systemic issue in Tenda's firmware codebase.
Proof of Concept
A proof-of-concept (PoC) exploit has been developed for the Tenda AC21 router, specifically targeting firmware version V16.03.08.16. This exploit leverages a stack-based buffer overflow vulnerability in the GetParentControlInfo function, accessible via the /goform/GetParentControlInfo endpoint.
The vulnerability arises when an attacker sends a specially crafted POST request to this endpoint, manipulating the mac parameter. By providing an excessively long value for this parameter, the attacker can overflow the buffer allocated for it, leading to a stack overflow condition. This overflow can disrupt the normal execution flow of the program, potentially allowing the attacker to execute arbitrary code on the device.
The PoC demonstrates that by exploiting this vulnerability, an attacker can gain unauthorized access to the router's system, potentially leading to a complete compromise of the device. This could result in unauthorized control over network traffic, interception of sensitive data, or further attacks on devices connected to the network.
It's important to note that this exploit can be executed remotely, without requiring physical access to the device. However, successful exploitation may depend on the attacker's ability to send crafted requests to the router's web interface, which could be mitigated by network configurations and access controls.
For a detailed walkthrough of the exploit and its implications, refer to the original PoC documentation.
References:
- https://dbugs.ptsecurity.com/vulnerability/PT-2025-35174
- https://github.com/XXRicardo/iot-cve/blob/main/Tenda/AC21/AC21V1.0re_V16.03.08.16.md
Detection Methods
Detecting vulnerabilities in Tenda devices, such as the AC21 router, involves a combination of static and dynamic analysis techniques. Static analysis tools like LuaTaint can be employed to examine the firmware's codebase for potential security flaws without executing the code. LuaTaint, for instance, utilizes static taint analysis combined with large language models to identify vulnerabilities in web configuration interfaces of IoT devices, achieving a detection precision rate of up to 89.29%. (arxiv.org)
Dynamic analysis, on the other hand, involves monitoring the device's behavior during operation to detect anomalies indicative of exploitation attempts. For example, a study on Tenda CP3 IP cameras demonstrated a methodology that includes both static and dynamic analyses to identify remotely exploitable vulnerabilities. This approach led to the discovery of five novel CVEs with CVSS scores ranging from 7.5 to 9.8. (arxiv.org)
Additionally, intrusion prevention systems (IPS) can be configured to detect and block malicious HTTP requests targeting known vulnerabilities in Tenda devices. For instance, FortiGuard Labs provides IPS signatures that identify attack attempts against Denial of Service vulnerabilities in Tenda devices by analyzing specific patterns in HTTP requests. (fortiguard.fortinet.com)
By integrating these detection methods—static analysis for preemptive vulnerability identification, dynamic analysis for real-time monitoring, and IPS for immediate threat mitigation—organizations can enhance their security posture against potential exploits targeting Tenda devices.
Affected Systems and Versions
- Tenda AC21 router, firmware version 16.03.08.16
- Tenda AC23 router, firmware version 16.03.08.16
Other firmware versions and models are not confirmed as affected based on available data. The vulnerability specifically impacts the GetParentControlInfo function exposed via /goform/GetParentControlInfo.
Vendor Security History
Tenda has a documented history of buffer overflow vulnerabilities across multiple router models:
- AC11: CVE-2021-31755
- AC15: CVE-2020-10987
- AC7, AC9, AC10: CVE-2018-14558
- AC1206: CVE-2025-9523
- AC20: CVE-2025-8160
Several of these vulnerabilities have been included in CISA's Known Exploited Vulnerabilities catalog. Patch response times have been inconsistent, and some models have not received firmware updates for years after disclosure. The recurrence of similar flaws suggests systemic issues in Tenda's firmware development and security review processes.