CVE-2025-11091
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-28

Last updated on: 2025-10-03

Assigner: VulDB

Description
A security flaw has been discovered in Tenda AC21 up to 16.03.08.16. Affected by this vulnerability is the function sscanf of the file /goform/SetStaticRouteCfg. The manipulation of the argument list results in buffer overflow. The attack can be launched remotely. The exploit has been released to the public and may be exploited.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-28
Last Modified
2025-10-03
Generated
2026-06-16
AI Q&A
2025-09-28
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11091
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
tenda ac21_firmware to 16.03.08.16 (inc)
tenda ac21 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a buffer overflow in the Tenda AC21 router firmware (up to version 16.03.08.16) occurring in the function sscanf within the /goform/SetStaticRouteCfg endpoint. The sscanf function parses input without proper bounds checking, allowing an attacker to send a specially crafted HTTP POST request with an excessively long parameter. This causes a stack-based buffer overflow, which can lead to denial of service or potentially remote code execution on the device. [1, 2, 3]

Impact Analysis

Exploitation of this vulnerability can impact the confidentiality, integrity, and availability of the affected Tenda AC21 router. An attacker can remotely cause a denial of service (DoS), making the device unavailable, or potentially execute arbitrary code remotely (remote code execution), which could allow full control over the device. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by monitoring HTTP POST requests sent to the endpoint /goform/SetStaticRouteCfg on Tenda AC21 routers running vulnerable firmware versions. Specifically, look for unusually long or malformed 'list' parameters in the POST data that could trigger the buffer overflow. A detection approach could involve capturing network traffic and filtering for POST requests to /goform/SetStaticRouteCfg with suspiciously large payloads. For example, using tcpdump or tshark: 1) Capture traffic: tcpdump -i <interface> -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' 2) Filter HTTP POST requests to the vulnerable endpoint and inspect the 'list' parameter for abnormal length or content. Alternatively, use tools like Wireshark with display filter: http.request.method == "POST" && http.request.uri contains "/goform/SetStaticRouteCfg". There is a publicly available proof-of-concept exploit that sends a long string of 'a' characters in the 'list' parameter, which can be used as a test to verify if the device is vulnerable. [1, 3]

Mitigation Strategies

Immediate mitigation steps include restricting or blocking remote HTTP POST requests to the /goform/SetStaticRouteCfg endpoint on affected Tenda AC21 routers to prevent exploitation. Since no known countermeasures or patches are currently available, it is recommended to replace the affected device with a non-vulnerable alternative or upgrade the firmware if a fixed version becomes available. Additionally, implementing network-level protections such as firewall rules to limit access to the router's management interface and monitoring for exploit attempts can reduce risk. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11091. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart