cbcvebase.
CVE-2025-11120
published 2025-09-28

CVE-2025-11120: A weakness has been identified in Tenda AC8 16.03.34.06. The affected element is the function formSetServerConfig of the file /goform/SetServerConfig…

PriorityP267high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
3.40%
87.3th percentile
A weakness has been identified in Tenda AC8 16.03.34.06. The affected element is the function formSetServerConfig of the file /goform/SetServerConfig. Executing manipulation can lead to buffer overflow. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited.

Affected

2 ranges
VendorProductVersion rangeFixed in
tendaac18_firmware
tendaac8

Detection & IOCsextracted from sources · hover to see the quote

url/goform/SetServerConfig
bytes
HTTP|2f|1|2e|0|20|200|20|OK|3d|
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Tenda SetServerConfig Buffer Overflow Attempt (CVE-2025-11120)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:23; content:"/goform/SetServerConfig"; fast_pattern; http.request_body; content:"HTTP|2f|1|2e|0|20|200|20|OK|3d|"; pcre:"/^[^&]{100,}(?:&|$)/R"; reference:url,github.com/alc9700jmo/CVE/issues/19; reference:cve,2025-11120; classtype:web-application-attack; sid:2066304; rev:1; metadata:affected_product Tenda, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_12_12, cve CVE_2025_11120, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_12_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Attack is delivered via HTTP POST to the exact URI /goform/SetServerConfig (URI length is exactly 23 bytes); match on POST method and this URI path to identify exploitation attempts.
  • The request body contains the byte pattern HTTP/1.0 200 OK= (hex-encoded as HTTP|2f|1|2e|0|20|200|20|OK|3d|), which is characteristic of the overflow payload embedded in the body.
  • A PCRE match on the request body for a parameter value of 100 or more characters before an ampersand or end-of-string (/^[^&]{100,}(?:&|$)/R) indicates the oversized input triggering the buffer overflow.
  • The vulnerability is in the function formSetServerConfig of the file /goform/SetServerConfig on Tenda AC8 firmware version 16.03.34.06; scope detection to this specific device/firmware.
  • Attack is plaintext (non-TLS); deploy detection at the network perimeter and internally on HTTP traffic only.
  • ·The Snort/Suricata rule (ET sid:2066304) targets $HOME_NET as the destination, meaning it is designed to detect inbound exploitation attempts against internal Tenda devices; ensure $HOME_NET is correctly scoped to include the device subnets.
  • ·The exploit is publicly available; the reference PoC is hosted at github.com/alc9700jmo/CVE/issues/19 and should be reviewed to understand payload variations that may evade the current signature.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
cisa9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.