A critical remote code execution vulnerability, identified as CVE-2025-11418, has been discovered in multiple Tenda products. This flaw allows an unauthenticated remote attacker to take complete control of an affected device, posing a severe risk to network security, data confidentiality, and operational continuity. Immediate patching is required to mitigate the threat of a full network compromise.

The vulnerability is a stack-based buffer overflow within the HTTP Request Handler component. Specifically, the formWrlsafeset function, accessible via the /goform/AdvSetWrlsafeset endpoint, fails to properly validate the length of user-supplied input. An unauthenticated attacker can send a specially crafted HTTP POST request with an overly long parameter, causing a buffer overflow that overwrites the stack's return address, leading to arbitrary code execution with the privileges of the web server process, which is typically root on these devices.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation allows an attacker to gain complete administrative control over the affected network device. The potential consequences include interception and theft of all network traffic, unauthorized access to the internal network, deployment of malware, and using the compromised device as part of a larger botnet for launching further attacks. This represents a significant risk to data confidentiality, system integrity, and the availability of network services.

Immediate Action: Immediately identify all vulnerable Tenda devices within the environment and update the firmware to the latest version provided by the vendor. After patching, monitor for any signs of post-compromise activity and review historical access logs for suspicious requests to the vulnerable endpoint.

Proactive Monitoring: Configure network monitoring and firewall logging to detect and alert on anomalous HTTP POST requests to the /goform/AdvSetWrlsafeset URI on Tenda devices. Monitor for unexpected device reboots or crashes, which could indicate failed exploitation attempts.

Compensating Controls: If patching cannot be performed immediately, implement the following controls:

• Disable WAN (internet-facing) access to the device's web administration interface.
• Use network segmentation and apply access control lists (ACLs) to restrict access to the device's management interface to only trusted administrative workstations.

Public Exploit Available: false

Given the critical 9.8 CVSS score, this vulnerability requires immediate attention. The risk of unauthenticated remote code execution on a network perimeter device is severe. We strongly recommend that organizations prioritize the immediate application of vendor-supplied firmware updates to all affected Tenda products. Although this vulnerability is not currently listed on the CISA KEV catalog, its critical nature makes it a prime candidate for future inclusion and widespread exploitation.