How to fix CVE-2025-5852?

Within 24 hours: Identify and inventory all Tenda AC6 devices in production and isolate affected units from critical network segments if possible. Within 7 days: Implement network access controls restricting administrative interfaces to trusted networks only and enable detailed logging of /goform/setPptpUserList requests. Within 30 days: Contact Tenda for firmware availability; evaluate replacement with patched hardware or alternative vendor solutions if updates remain unavailable.

Is Ac6 Firmware affected by CVE-2025-5852?

A remote code execution vulnerability affecting Tenda AC6 routers (firmware 15.03.05.16) has been publicly disclosed with working exploits available. Organizations using this device model are at immediate risk of unauthorized access and network compromise without vendor remediation available.

CVE-2025-5852

EUVD-2025-17416 HIGH

2025-06-09 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 19:21 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 19:21 euvd

EUVD-2025-17416

PoC Detected

Jun 09, 2025 - 19:04 vuln.today

Public exploit code

CVE Published

Jun 09, 2025 - 01:15 nvd

HIGH 8.8

Description

A vulnerability classified as critical has been found in Tenda AC6 15.03.05.16. Affected is the function formSetPPTPUserList of the file /goform/setPptpUserList. The manipulation of the argument list leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Analysis

Critical buffer overflow vulnerability in Tenda AC6 router firmware version 15.03.05.16, affecting the PPTP user list configuration function accessible via the /goform/setPptpUserList endpoint. An authenticated attacker can remotely exploit this vulnerability by manipulating the 'list' argument to achieve code execution with full system compromise (confidentiality, integrity, and availability impact). Public exploit code is available and the vulnerability meets criteria for active exploitation risk.

Technical Context

This vulnerability exists in the formSetPPTPUserList function within the web management interface of Tenda AC6 routers, which handles Point-to-Point Tunneling Protocol (PPTP) user account configuration. The root cause is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), a classic stack or heap buffer overflow. The vulnerable parameter 'list' lacks proper bounds checking when processing user input, allowing an attacker to write arbitrary data beyond allocated buffer boundaries. This affects Tenda AC6 CPE cpe:2.3:o:tenda:ac6_firmware:15.03.05.16:*:*:*:*:*:*:*. The web-based administration interface is the attack vector, requiring Layer 7 HTTP request manipulation.

Affected Products

AC6 (['15.03.05.16'])

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.2

CVSS: +44

POC: +20

CVE-2025-5852 vulnerability details – vuln.today

Back

CVE-2025-5852

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

CVE-2025-5852

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code