How to fix EUVD-2025-17397?

Within 24 hours: Identify and inventory all Tenda AC9 devices in your environment and isolate affected units from production networks if possible. Within 7 days: Implement network segmentation to restrict router administrative access, deploy WAF rules blocking requests to /goform/SetRemoteWebCfg endpoint, and disable remote web management features if not operationally critical. Within 30 days: Contact Tenda for patch availability updates, evaluate replacement with alternative router vendors, and conduct network forensics to detect any prior compromise attempts.

Is Ac9 Firmware affected by EUVD-2025-17397?

A critical remote code execution vulnerability affecting Tenda AC9 routers (version 15.03.02.13) allows unauthenticated attackers to compromise devices through a buffer overflow attack.

EUVD-2025-17397

| CVE-2025-5847 HIGH

2025-06-08 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 19:17 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 19:17 euvd

EUVD-2025-17397

PoC Detected

Jun 09, 2025 - 19:04 vuln.today

Public exploit code

CVE Published

Jun 08, 2025 - 14:15 nvd

HIGH 8.8

Description

A vulnerability has been found in Tenda AC9 15.03.02.13 and classified as critical. Affected by this vulnerability is the function formSetSafeWanWebMan of the file /goform/SetRemoteWebCfg of the component HTTP POST Request Handler. The manipulation of the argument remoteIp leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Analysis

Critical stack-based buffer overflow vulnerability in Tenda AC9 router firmware version 15.03.02.13, exploitable via the HTTP POST handler's formSetSafeWanWebMan function through manipulation of the remoteIp parameter. An authenticated remote attacker can achieve remote code execution with full system compromise (confidentiality, integrity, and availability impact). A public proof-of-concept exploit exists, elevating real-world exploitation risk significantly.

Technical Context

The vulnerability exists in the HTTP POST request handler component of Tenda AC9 firmware, specifically in the /goform/SetRemoteWebCfg endpoint's formSetSafeWanWebMan function. The root cause is CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), manifesting as a classic stack-based buffer overflow. The remoteIp parameter lacks proper input validation and bounds checking, allowing an attacker to write beyond allocated stack memory. This affects network device firmware where the HTTP interface processes user-supplied configuration data without adequate sanitization. The affected CPE would be cpe:2.3:h:tenda:ac9:15.03.02.13:*:*:*:*:*:*:*, indicating the specific hardware model and firmware version combination.

Affected Products

- vendor: Tenda; product: AC9; affected_version: 15.03.02.13; model: AC9; component: HTTP POST Request Handler (/goform/SetRemoteWebCfg); function: formSetSafeWanWebMan; cpe: cpe:2.3:h:tenda:ac9:15.03.02.13:*:*:*:*:*:*:*; status: Vulnerable

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.2

CVSS: +44

POC: +20

EUVD-2025-17397 vulnerability details – vuln.today

Back

EUVD-2025-17397

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

EUVD-2025-17397

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code