Introduction
Attackers can remotely compromise Tenda AC20 routers running firmware 16.03.08.05 by exploiting a stack-based buffer overflow in the device's web management interface. Public exploit code is available, making this a high-risk issue for any organization or individual using affected hardware.
Tenda is a globally recognized networking equipment vendor with a large presence in the consumer and SMB router market. Their AC20 model is widely deployed for home and small office use. The company has faced repeated security scrutiny due to recurring vulnerabilities in its firmware, particularly involving memory safety and input validation flaws.
Technical Information
CVE-2025-9791 is a stack-based buffer overflow vulnerability in the Tenda AC20 router, specifically in firmware version 16.03.08.05. The flaw resides in the /goform/fromAdvSetMacMtuWan
endpoint of the device's web management interface. Attackers can trigger the vulnerability by sending a crafted HTTP POST request that manipulates the wanMTU
parameter.
The root cause is insufficient bounds checking on the wanMTU
parameter before copying its value into a stack buffer. This allows remote attackers to overflow the buffer and potentially execute arbitrary code on the device. The vulnerability does not require authentication, significantly increasing its exploitability.
While no public code snippet is available for this specific CVE, similar vulnerabilities in Tenda AC20 firmware have involved unsafe use of string copy functions (such as strcpy
) without proper input validation. This pattern has been observed across multiple endpoints in Tenda firmware, indicating a systemic issue with input handling.
Affected Systems and Versions
- Product: Tenda AC20 router
- Firmware version: 16.03.08.05
- Vulnerable endpoint:
/goform/fromAdvSetMacMtuWan
- Vulnerable parameter:
wanMTU
- All configurations exposing the web management interface are potentially vulnerable
Vendor Security History
Tenda has a documented history of security issues in its router firmware, particularly in the AC20 product line. Notable examples include:
- CVE-2025-8810: Stack-based buffer overflow in
/goform/SetFirewallCfg
(firmware 16.03.08.05) - CVE-2025-8160: Buffer overflow in
/goform/SetSysTimeCfg
(firmware up to 16.03.08.12) - CVE-2025-9091: Hard-coded credentials in firmware 16.03.08.12
Patch response times have been inconsistent, and some vulnerabilities have remained unpatched for extended periods. Unsafe string handling and lack of input validation are recurring root causes.