Tenda AC20 CVE-2025-9791: Brief Summary of a Stack-Based Buffer Overflow Vulnerability

This post provides a brief summary of CVE-2025-9791, a stack-based buffer overflow in Tenda AC20 16.03.08.05. It covers technical details, affected versions, and vendor security history based on available public sources.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-09-01

Tenda AC20 CVE-2025-9791: Brief Summary of a Stack-Based Buffer Overflow Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Attackers can remotely compromise Tenda AC20 routers running firmware 16.03.08.05 by exploiting a stack-based buffer overflow in the device's web management interface. Public exploit code is available, making this a high-risk issue for any organization or individual using affected hardware.

Tenda is a globally recognized networking equipment vendor with a large presence in the consumer and SMB router market. Their AC20 model is widely deployed for home and small office use. The company has faced repeated security scrutiny due to recurring vulnerabilities in its firmware, particularly involving memory safety and input validation flaws.

Technical Information

CVE-2025-9791 is a stack-based buffer overflow vulnerability in the Tenda AC20 router, specifically in firmware version 16.03.08.05. The flaw resides in the /goform/fromAdvSetMacMtuWan endpoint of the device's web management interface. Attackers can trigger the vulnerability by sending a crafted HTTP POST request that manipulates the wanMTU parameter.

The root cause is insufficient bounds checking on the wanMTU parameter before copying its value into a stack buffer. This allows remote attackers to overflow the buffer and potentially execute arbitrary code on the device. The vulnerability does not require authentication, significantly increasing its exploitability.

While no public code snippet is available for this specific CVE, similar vulnerabilities in Tenda AC20 firmware have involved unsafe use of string copy functions (such as strcpy) without proper input validation. This pattern has been observed across multiple endpoints in Tenda firmware, indicating a systemic issue with input handling.

Affected Systems and Versions

  • Product: Tenda AC20 router
  • Firmware version: 16.03.08.05
  • Vulnerable endpoint: /goform/fromAdvSetMacMtuWan
  • Vulnerable parameter: wanMTU
  • All configurations exposing the web management interface are potentially vulnerable

Vendor Security History

Tenda has a documented history of security issues in its router firmware, particularly in the AC20 product line. Notable examples include:

  • CVE-2025-8810: Stack-based buffer overflow in /goform/SetFirewallCfg (firmware 16.03.08.05)
  • CVE-2025-8160: Buffer overflow in /goform/SetSysTimeCfg (firmware up to 16.03.08.12)
  • CVE-2025-9091: Hard-coded credentials in firmware 16.03.08.12

Patch response times have been inconsistent, and some vulnerabilities have remained unpatched for extended periods. Unsafe string handling and lack of input validation are recurring root causes.

References

Detect & fix
what others miss