cbcvebase.
CVE-2025-5861
published 2025-06-09

CVE-2025-5861: A vulnerability has been found in Tenda AC7 15.03.06.44 and classified as critical. This vulnerability affects the function fromadvsetlanip of the file…

PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.69%
90.7th percentile
A vulnerability has been found in Tenda AC7 15.03.06.44 and classified as critical. This vulnerability affects the function fromadvsetlanip of the file /goform/AdvSetLanip. The manipulation of the argument lanMask leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Affected

3 ranges
VendorProductVersion rangeFixed in
googlechrome_chrome
tendaac7
tendaac7_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/goform/AdvSetLanip
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Tenda AdvSetLanip lanMask Parameter Buffer Overflow Attempt (CVE-2025-5861, CVE-2025-15218)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:19; content:"/goform/AdvSetLanip"; fast_pattern; http.request_body; content:"lanMask"; pcre:"/^[^\x2c\x7d$]{100,}(?:\x2c|\x7d|$)/R"; reference:url,candle-throne-f75.notion.site/Tenda-AC15-fromadvsetlanip-20adf0aa118580a09182c1c5c42079fc; reference:cve,2025-5861; reference:cve,2025-15218; classtype:web-application-attack; sid:2062819; rev:1; metadata:affected_product Tenda, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_06_09, cve CVE_2025_5861, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_06_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Attack is delivered via HTTP POST to the exact URI /goform/AdvSetLanip with a body containing the 'lanMask' parameter. A lanMask value exceeding 100 characters (with no comma or closing-brace delimiter) indicates an overflow attempt.
  • The vulnerable function is fromadvsetlanip inside the file /goform/AdvSetLanip; the overflow is triggered by manipulating the 'lanMask' argument.
  • The attack is remotely exploitable and the exploit has been publicly disclosed; prioritise perimeter/edge detection for Tenda AC7 devices.
  • Traffic is expected in plaintext (non-TLS); deploy the Snort/Suricata rule at the network perimeter targeting inbound HTTP to home-net devices.
  • ·The Snort/Suricata rule (sid:2062819) uses a fixed URI bsize of 19 bytes for /goform/AdvSetLanip; ensure your sensor's HTTP normalisation does not alter URI length before matching.
  • ·The PCRE pattern matches a lanMask value of 100+ characters not containing a comma (0x2c) or closing brace (0x7d); tune the threshold if legitimate long subnet masks are present in your environment.
  • ·The rule covers two CVEs simultaneously (CVE-2025-5861 and CVE-2025-15218); verify applicability to each affected device model (AC7 vs AC15) before deploying.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.