cbcvebase.
CVE-2025-8017
published 2025-07-22

CVE-2025-8017: A vulnerability was found in Tenda AC7 15.03.06.44. It has been classified as critical. Affected is the function formSetMacFilterCfg of the file…

PriorityP274high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
8.34%
94.3th percentile
A vulnerability was found in Tenda AC7 15.03.06.44. It has been classified as critical. Affected is the function formSetMacFilterCfg of the file /goform/setMacFilterCfg of the component httpd. The manipulation of the argument deviceList leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Affected

2 ranges
VendorProductVersion rangeFixed in
tendaac7
tendaac7_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/goform/setMacFilterCfg
path/goform/setMacFilterCfg
commandPOST /goform/setMacFilterCfg with deviceList parameter value >= 100 bytes
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Tenda setMacFilterCfg deviceList Parameter Buffer Overflow Attempt (CVE-2025-8017)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:23; content:"/goform/setMacFilterCfg"; fast_pattern; http.request_body; content:"deviceList|3d|"; pcre:"/^[^\x26$]{100,}(?:\x26|$)/R"; reference:url,github.com/Thir0th/Thir0th-CVE/; reference:cve,2025-8017; classtype:web-application-attack; sid:2063671; rev:1; metadata:affected_product Tenda, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_07_22, cve CVE_2025_8017, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_07_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Detect HTTP POST requests to /goform/setMacFilterCfg with a URI length of exactly 23 bytes, targeting Tenda AC7 httpd.
  • Flag requests where the deviceList parameter value in the POST body is 100 or more characters (URL-encoded as 'deviceList='), indicative of a stack-based buffer overflow attempt.
  • The vulnerability is in the formSetMacFilterCfg function within the httpd component; the manipulation of the 'deviceList' argument triggers a stack-based buffer overflow exploitable remotely.
  • Public exploit code is available; reference the Thir0th CVE GitHub repository for PoC details.
  • Traffic is expected in plaintext (non-TLS); deploy detection at perimeter and internal network boundaries.
  • ·The Snort/Suricata rule (SID 2063671) uses a URI bsize match of exactly 23 bytes for /goform/setMacFilterCfg; ensure your IDS/IPS normalizes URI length consistently to avoid false negatives from URL encoding or trailing slashes.
  • ·The PCRE pattern triggers on deviceList values of 100+ non-ampersand characters; tune the threshold if legitimate device list configurations on your network use long MAC address lists to reduce false positives.
  • ·The affected version is specifically Tenda AC7 firmware 15.03.06.44; scope detection to devices running this exact version to reduce noise.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.