CVE-2025-9605

moderate-risk
Published 2025-08-29

A security vulnerability has been detected in Tenda AC21 and AC23 16.03.08.16. Affected is the function GetParentControlInfo of the file /goform/GetParentControlInfo. Such manipulation of the argument mac leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.

Do I need to act?

-
0.46% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (2)

Affected Vendors

Tenda

References (9)

Exploit https://github.com/XXRicardo/iot-cve/blob/main/Tenda/AC21/AC21V1.0re_V16.03.08.1...
Exploit https://github.com/XXRicardo/iot-cve/blob/main/Tenda/AC23/Stack-Based%20Buffer%2...
Permissions Required https://vuldb.com/?ctiid.321783
Third Party Advisory https://vuldb.com/?id.321783
Third Party Advisory https://vuldb.com/?submit.636545
Third Party Advisory https://vuldb.com/?submit.636548
Product https://www.tenda.com.cn/
Exploit https://github.com/XXRicardo/iot-cve/blob/main/Tenda/AC21/AC21V1.0re_V16.03.08.1...
Exploit https://github.com/XXRicardo/iot-cve/blob/main/Tenda/AC23/Stack-Based%20Buffer%2...
41
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 2/34 · Minimal
Exposure 7/34 · Low