Buffer overflow in Tenda Ac21
CVE-2025-9605
A security vulnerability has been detected in Tenda AC21 and AC23 16.03.08.16. Affected is the function GetParentControlInfo of the file /goform/GetParentControlInfo. Such manipulation of the argument mac leads to stack-based buffer overfl…
Vulnerability class: Buffer Overflow
EPSS: 0.007 (71.6th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R.
Affected products
- Tenda Ac21 — versions 16.03.08.16
- Tenda Ac23 — versions 16.03.08.16
Weakness classification (CWE)
Public proof-of-concept exploits
References
- VDB-321783 | Tenda AC21/AC23 GetParentControlInfo stack-based overflow (vdb-entry, technical-description)
- VDB-321783 | CTI Indicators (IOB, IOC, IOA) (signature, permissions-required)
- Submit #636545 | Tenda Wi-Fi 5 Router AC21 AC21V1.0re_V16.03.08.16 Buffer Overflow (third-party-advisory)
- Submit #636548 | Tenda Wi-Fi 5 Router AC23 AC23V1.0re_V16.03.07.52 Buffer Overflow (Duplicate) (third-party-advisory)
- github.com/XXRicardo/iot-cve/blob/main/Tenda/AC21/AC21V1.0re_V16.03.08.16.md (related)
- github.com/XXRicardo/iot-cve/blob/main/Tenda/AC23/Stack-Based Buffer Overflow i… (exploit)
- www.tenda.com.cn/ (product)
Frequently asked questions
- What is CVE-2025-9605?
- CVE-2025-9605 is a critical-severity vulnerability in Tenda Ac21, classified under Stack-based Buffer Overflow. CVSS score: 9.8/10. Published 2025-08-29.
- How severe is CVE-2025-9605?
- Critical severity. CVSS v3 base score is 9.8 out of 10.
- Is CVE-2025-9605 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.