CVE-2025-11586

Received

Published: 10 Oct 2025, 21:16

Last modified:10 Oct 2025, 21:16

Vulnerability Summary

Overall Risk

Medium Risk

36/100

CVSS Score

9 CRITICAL

v2.0

EPSS Score

No data

CISA KEV

Not listed

Ransomware

No reports

Exploits

None found

Dark Web

Not detected

A vulnerability was determined in Tenda AC7 15.03.06.44. This affects an unknown function of the file /goform/setNotUpgrade. This manipulation of the argument newVersion causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.

Source Identifier: cna@vuldb.com

CVSS	Source	Severity	Exploitability	Impact	Vector
v4.0	cna@vuldb.com	7.4 HIGH	NA	NA	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/V...
v3.1	Primary cna@vuldb.com	8.8 HIGH	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H...
v3.0	n/a
v2.0	cna@vuldb.com		8	10	AV:N/AC:L/Au:S/C:C/I:C/A:C

Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-119

Description:The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Not listed in CISA Known Exploited Vulnerabilities catalog.

No dark web activity detected for this vulnerability.

No known public exploit code indexed (as of 10 Oct 2025, 21:16).

Exploitation status can change quickly once PoC code appears.

No affected systems information available.

URL	Tags	Source
https://github.com/noahze01/IoT-vulnerable/blob/main/Tenda/AC7/setNotUpgrade.md	-	cna@vuldb.com
https://github.com/noahze01/IoT-vulnerable/blob/main/Tenda/AC7/setNotUpgrade.md#exploit	-	cna@vuldb.com
https://vuldb.com/?ctiid.327908	-	cna@vuldb.com
https://vuldb.com/?id.327908	-	cna@vuldb.com
https://vuldb.com/?submit.671597	-	cna@vuldb.com
https://www.tenda.com.cn/	-	cna@vuldb.com