CVE-2025-13446 in AC21
Summary
by MITRE • 11/20/2025
A vulnerability has been found in Tenda AC21 16.03.08.16. This vulnerability affects unknown code of the file /goform/SetSysTimeCfg. The manipulation of the argument timeZone/time leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 11/21/2025
This vulnerability resides within the Tenda AC21 router firmware version 16.03.08.16 where a stack-based buffer overflow occurs in the /goform/SetSysTimeCfg file. The specific flaw manifests when processing the timeZone/time argument parameters, creating a condition where malicious input can exceed the allocated buffer space on the stack. This particular vulnerability represents a critical security weakness that enables remote code execution capabilities through unauthenticated network access, as the attack vector does not require any user interaction or authentication credentials. The exploitation of this vulnerability allows attackers to overwrite adjacent stack memory locations and potentially execute arbitrary code on the affected device. The buffer overflow vulnerability in this context aligns with CWE-121 which describes stack-based buffer overflow conditions where insufficient bounds checking permits data to overwrite adjacent memory locations. The attack surface is particularly concerning as it operates through the web interface of the router, making it accessible to anyone with network connectivity to the device without requiring physical access or prior authentication.
The technical exploitation of this vulnerability follows a classic stack-based buffer overflow pattern where input validation fails to properly constrain the length of the timeZone/time parameter. When an attacker sends a specially crafted request containing an oversized time zone value to the SetSysTimeCfg endpoint, the firmware fails to validate the input length against the allocated buffer space, resulting in memory corruption. This memory corruption can be leveraged to overwrite return addresses, function pointers, or other critical stack data, enabling an attacker to redirect execution flow and potentially gain full control over the router's operating system. The remote nature of this attack means that adversaries can exploit this vulnerability from anywhere on the internet without requiring physical access to the device, making it particularly dangerous for network infrastructure devices that are often exposed to public networks. The disclosed exploit demonstrates that this vulnerability can be reliably triggered through network-based attacks, indicating that the flaw exists in the core firmware processing logic rather than in specific user-facing interfaces.
The operational impact of this vulnerability extends beyond simple remote code execution, as compromised routers can serve as launching points for broader network attacks. Once an attacker gains control of the router, they can modify network configurations, redirect traffic through malicious proxies, or use the device as a pivot point for attacking internal network resources. This vulnerability affects the fundamental network security posture of organizations that rely on Tenda AC21 routers, as the compromised device can become part of a botnet or be used to conduct man-in-the-middle attacks against internal communications. The attack can be automated and does not require advanced technical skills to execute, making it particularly dangerous for widespread exploitation. The vulnerability also represents a significant risk to network availability as attackers could potentially cause the device to crash or become unresponsive, creating denial of service conditions that disrupt network connectivity for legitimate users. This aligns with attack patterns described in the MITRE ATT&CK framework under the T1071.004 technique for application layer protocol usage and T1566 for social engineering attacks that leverage compromised network infrastructure.
Mitigation strategies for this vulnerability should prioritize immediate firmware updates from Tenda to address the buffer overflow condition in the SetSysTimeCfg endpoint. Network administrators should implement network segmentation to isolate critical infrastructure from less secure network segments, reducing the potential impact of a successful exploitation. Additional protective measures include disabling unnecessary web interfaces and services on the router, implementing firewall rules to restrict access to the device's management ports, and monitoring network traffic for unusual patterns that might indicate exploitation attempts. The vulnerability also highlights the importance of input validation and bounds checking in embedded systems, as proper parameter validation could prevent the buffer overflow condition from occurring. Organizations should also consider implementing network intrusion detection systems that can identify exploitation attempts targeting known vulnerabilities in network infrastructure devices. Regular security assessments of network equipment should be conducted to identify similar vulnerabilities that might exist in other firmware components, as this vulnerability represents a pattern that could be present in other parts of the router's codebase. The disclosed exploit availability means that defensive measures should be implemented immediately, as the vulnerability is likely to be actively exploited in the wild.