CVE-2025-52221 -- CVSS 9.8 Vulnerability Briefing

CVE-2025-52221 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2025-52221 is a critical stack-based buffer overflow vulnerability in the Tenda AC6 router firmware (version 15.03.05.16_multi), specifically within the formSetCfm function exposed through the device's web management interface.

Technical Detail

The flaw exists because the formSetCfm function fails to properly validate the length of user-supplied input passed through the funcname, funcpara1, and funcpara2 parameters, allowing an attacker to overflow a stack buffer. By sending a crafted HTTP request with oversized parameter values to the affected endpoint, an attacker can overwrite adjacent memory, including return addresses, potentially achieving remote code execution with the privileges of the web server process. Given that consumer routers of this class typically run web services as root, successful exploitation likely results in full device compromise.

Exploitation Status

No known exploit code has been publicly identified or confirmed for this vulnerability at this time. It is not listed in the CISA Known Exploited Vulnerabilities catalog. The exploit maturity is currently assessed as no known exploit, though the straightforward nature of stack buffer overflows in embedded firmware historically makes them accessible to moderately skilled researchers once a device is analyzed.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this CVE. However, SOHO router vulnerabilities of this class have historically attracted attention from botnet operators and actors targeting home and small business network infrastructure.

What To Do

Organizations and individuals using Tenda AC6 devices running firmware version 15.03.05.16_multi should check Tenda's official support channels for a patched firmware release and apply it immediately given the critical CVSS score of 9.8. If no patch is available, restrict access to the device's web management interface by disabling remote administration and binding management access to trusted internal network segments only. Where possible, place the device behind an additional network control layer to limit exposure of the management interface. Monitor for anomalous HTTP requests targeting the router's web interface as a detection signal. Given the absence of a confirmed patch timeline, treating this as a high-priority remediation item is warranted.