CVE-2025-11120
published 2025-09-28CVE-2025-11120: A weakness has been identified in Tenda AC8 16.03.34.06. The affected element is the function formSetServerConfig of the file /goform/SetServerConfig…
PriorityP267high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
3.40%
87.3th percentile
A weakness has been identified in Tenda AC8 16.03.34.06. The affected element is the function formSetServerConfig of the file /goform/SetServerConfig. Executing manipulation can lead to buffer overflow. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tenda | ac18_firmware | — | — |
| tenda | ac8 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes
HTTP|2f|1|2e|0|20|200|20|OK|3d|
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Tenda SetServerConfig Buffer Overflow Attempt (CVE-2025-11120)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:23; content:"/goform/SetServerConfig"; fast_pattern; http.request_body; content:"HTTP|2f|1|2e|0|20|200|20|OK|3d|"; pcre:"/^[^&]{100,}(?:&|$)/R"; reference:url,github.com/alc9700jmo/CVE/issues/19; reference:cve,2025-11120; classtype:web-application-attack; sid:2066304; rev:1; metadata:affected_product Tenda, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_12_12, cve CVE_2025_11120, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_12_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Attack is delivered via HTTP POST to the exact URI /goform/SetServerConfig (URI length is exactly 23 bytes); match on POST method and this URI path to identify exploitation attempts.
- →The request body contains the byte pattern HTTP/1.0 200 OK= (hex-encoded as HTTP|2f|1|2e|0|20|200|20|OK|3d|), which is characteristic of the overflow payload embedded in the body.
- →A PCRE match on the request body for a parameter value of 100 or more characters before an ampersand or end-of-string (/^[^&]{100,}(?:&|$)/R) indicates the oversized input triggering the buffer overflow.
- →The vulnerability is in the function formSetServerConfig of the file /goform/SetServerConfig on Tenda AC8 firmware version 16.03.34.06; scope detection to this specific device/firmware. ↗
- →Attack is plaintext (non-TLS); deploy detection at the network perimeter and internally on HTTP traffic only.
- ·The Snort/Suricata rule (ET sid:2066304) targets $HOME_NET as the destination, meaning it is designed to detect inbound exploitation attempts against internal Tenda devices; ensure $HOME_NET is correctly scoped to include the device subnets.
- ·The exploit is publicly available; the reference PoC is hosted at github.com/alc9700jmo/CVE/issues/19 and should be reviewed to understand payload variations that may evade the current signature.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
cisa9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-62cc-6mpf-6rxc: A weakness has been identified in Tenda AC8 16
ghsa_unreviewed·2025-09-28
CVE-2025-11120 [HIGH] CWE-119 GHSA-62cc-6mpf-6rxc: A weakness has been identified in Tenda AC8 16
A weakness has been identified in Tenda AC8 16.03.34.06. The affected element is the function formSetServerConfig of the file /goform/SetServerConfig. Executing manipulation can lead to buffer overflow. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited.
CISA
GeoVision Devices OS Command Injection Vulnerability
cisa·2025-05-07·CVSS 9.8
CVE-2024-11120 [CRITICAL] CWE-78 GeoVision Devices OS Command Injection Vulnerability
Vulnerability: GeoVision Devices OS Command Injection Vulnerability
Affected: GeoVision Multiple Devices
Multiple GeoVision devices contain an OS command injection vulnerability that allows a remote, unauthenticated attacker to inject and execute arbitrary system commands. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://dlcdn.geovision.com.tw/TechNotice/CyberSecurity/Security_Advisory_IP_Device_2024-11.pdf ; https://nvd.nist.gov/vuln/detail/CVE-2024-11120
Remediation Due Date: 2025-05-28
Suricata
ET WEB_SPECIFIC_APPS Tenda SetServerConfig Buffer Overflow Attempt (CVE-2025-11120)
suricata·2025-12-12·CVSS 7.4
CVE-2025-11120 [HIGH] ET WEB_SPECIFIC_APPS Tenda SetServerConfig Buffer Overflow Attempt (CVE-2025-11120)
ET WEB_SPECIFIC_APPS Tenda SetServerConfig Buffer Overflow Attempt (CVE-2025-11120)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Tenda SetServerConfig Buffer Overflow Attempt (CVE-2025-11120)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:23; content:"/goform/SetServerConfig"; fast_pattern; http.request_body; content:"HTTP|2f|1|2e|0|20|200|20|OK|3d|"; pcre:"/^[^&]{100,}(?:&|$)/R"; reference:url,github.com/alc9700jmo/CVE/issues/19; reference:cve,2025-11120; classtype:web-application-attack; sid:2066304; rev:1; metadata:affected_product Tenda, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_12_12, cve CVE_2025_11120, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_sever
Suricata
ET WEB_SPECIFIC_APPS GeoVision DateSetting.cgi szSrvIpAddr Parameter Command Injection Attempt
suricata·2025-05-06
CVE-2024-6047 ET WEB_SPECIFIC_APPS GeoVision DateSetting.cgi szSrvIpAddr Parameter Command Injection Attempt
ET WEB_SPECIFIC_APPS GeoVision DateSetting.cgi szSrvIpAddr Parameter Command Injection Attempt
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GeoVision DateSetting.cgi szSrvIpAddr Parameter Command Injection Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:16; content:"/DateSetting.cgi"; fast_pattern; http.request_body; content:"szSrvIpAddr|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2024-6047; reference:cve,2024-11120; reference:url,www.akamai.com/blog/security-research/2025/may/active-exploitation-mirai-geovision-iot-botnet; classtype:attempted-admin; sid:2062140; rev:1; metadata:affected_product GeoVision, attack_target IoT, tls_state plaintext, created_at
No public exploits indexed.
No writeups or analysis indexed.
2025-09-28
Published