cbcvebase.
CVE-2025-1851
published 2025-03-03

CVE-2025-1851: A vulnerability, which was classified as critical, was found in Tenda AC7 up to 15.03.06.44. This affects the function formSetFirewallCfg of the file…

PriorityP266high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.99%
58.1th percentile
A vulnerability, which was classified as critical, was found in Tenda AC7 up to 15.03.06.44. This affects the function formSetFirewallCfg of the file /goform/SetFirewallCfg. The manipulation of the argument firewallEn leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Affected

53 ranges· showing 25
VendorProductVersion rangeFixed in
linuxlinux_kernel>= 6.15.0 < 6.17.66.17.6
msrccbl2_vim_8.2.5064-1_on_cbl_mariner_2.0
msrccbl_mariner_1.0_arm
msrccbl_mariner_1.0_x64
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
msrccm1_vim_8.2.5064-1_on_cbl_mariner_1.0
tendaac7
tendaac7
tendaac7
tendaac7
tendaac7
tendaac7
tendaac7
tendaac7
tendaac7
tendaac7
tendaac7
tendaac7
tendaac7
tendaac7
tendaac7
tendaac7
tendaac7
tendaac7

Detection & IOCsextracted from sources · hover to see the quote

url/goform/SetFirewallCfg
commandPOST /goform/SetFirewallCfg with firewallEn= parameter value >= 100 bytes
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Tenda SetFirewallCfg firewallEn Parameter Buffer Overflow Attempt (CVE-2025-8810, CVE-2025-29358, CVE-2025-1851, CVE-2024-2809)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:22; content:"/goform/SetFirewallCfg"; fast_pattern; http.request_body; content:"firewallEn|3d|"; pcre:"/^[^&]{100,}(?:&|$)/R"; reference:cve,2025-8810; reference:url,www.cve.org/CVERecord/SearchResults?query=SetFirewallCfg; reference:cve,2025-1851; reference:cve,2025-29358; reference:url,github.com/peris-navince/founded-0-days/blob/main/Tenda/ac8/formSetFirewallCfg/1.md; reference:cve,2024-2809; classtype:web-application-attack; sid:2065155; rev:1; metadata:affected_product Tenda, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_10_10, cve CVE_2025_1851_CVE_2025_8810_CVE_2024_2809_CVE_2025_29358, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Detect HTTP POST requests to /goform/SetFirewallCfg where the firewallEn parameter value is 100 or more bytes long (URL-encoded as firewallEn=), indicative of a stack-based buffer overflow attempt.
  • The URI path /goform/SetFirewallCfg has an exact byte size of 22; use bsize matching to reduce false positives.
  • Attack is delivered over plaintext HTTP (not TLS); perimeter and internal deployment recommended.
  • Maps to MITRE ATT&CK T1190 (Exploit Public-Facing Application) under tactic TA0001 (Initial Access).
  • Public PoC/exploit disclosure exists; treat any matching traffic as high-confidence exploitation attempt.
  • ·The Snort/Suricata rule (ET sid:2065155) covers multiple CVEs simultaneously (CVE-2025-8810, CVE-2025-29358, CVE-2025-1851, CVE-2024-2809); a match does not exclusively confirm CVE-2025-1851 exploitation — correlate with affected device version (Tenda AC7 up to 15.03.06.44).
  • ·The vulnerability is in the formSetFirewallCfg function of /goform/SetFirewallCfg on Tenda AC7; other Tenda models (e.g., AC8) share the same endpoint and are covered by the same rule.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vendor_msrc7.8HIGH
vendor_redhat4.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.