HighPublic exploit

Stack-based buffer overflow in Tenda AC1206 /goform/setMacFilterCfg (formSetMacFilterCfg)

IdentifiersCVE-2025-7544CWE-121· Stack-based Buffer Overflow

CVE-2025-7544 is a critical stack-based buffer overflow in Tenda AC1206 firmware 15.03.06.23 within the formSetMacFilterCfg handler exposed via the /goform/setMacFilterCfg endpoint. The vulnerability is triggered by manipulating the deviceList argument (e.g., an oversized deviceList value), resulting in a stack-based buffer overflow condition. The issue is remotely reachable and has been publicly disclosed; reported exploitation uses an overlong deviceList (e.g., ~500 repeated characters) to trigger the overflow, with outcomes including denial of service and potential remote code execution.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Remote exploitation can crash the device/service (DoS) and may enable remote code execution on the router, enabling full compromise of the affected device and subsequent use for botnet enrollment and follow-on activity.

Mitigation

If you can’t patch tonight, do this now.

Reduce exposure of the router management/HTTP interface: ensure /goform endpoints are not reachable from the internet (disable remote management/UPnP as applicable, restrict management to LAN/VPN, and apply network ACLs/firewall rules). Monitor for and block exploitation attempts targeting /goform/setMacFilterCfg with anomalously long deviceList values; consider IOC-based blocking of known related infrastructure where applicable.

Remediation

Patch, then assume compromise.

Upgrade to a fixed firmware version from Tenda if available; if no patched firmware exists for AC1206 15.03.06.23, replace the device with a supported model/firmware line that receives security updates.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

TendaAc1206 Firmwareoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app

cyber security newsNews

Mar 3, 2026

Zerobot Malware Exploiting Tenda Command Injection Vulnerabilities to Deploy Malware

Critical stack-based buffer overflow in Tenda AC1206 (/goform/setMacFilterCfg) reachable via the deviceList parameter, enabling remote DoS and RCE.

the hacker newsNews

Mar 2, 2026

⚡ Weekly Recap: SD-WAN 0-Day, Critical CVEs, Telegram Probe, Smart TV Proxy SDK and More

Vulnerability in Tenda routers exploited by the Mirai-based Zerobot botnet to expand infections.

the hacker newsNews

Mar 2, 2026

⚡ Weekly Recap: SD-WAN 0-Day, Critical CVEs, Telegram Probe, Smart TV Proxy SDK and More

Vulnerability in Tenda routers exploited by the Mirai-based Zerobot botnet to expand infections.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware2

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity7

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-7544

NVD

nvd.nist.gov/vuln/detail/CVE-2025-7544

MITRE CWE · CWE-121

Stack-based Buffer Overflow

Third Party Advisory

github.com/panda666-888/vuls/blob/main/tenda/ac1206/formSetMacFilterCfg.md

Third Party Advisory

github.com/panda666-888/vuls/blob/main/tenda/ac1206/formSetMacFilterCfg.md

Third Party Advisory

vuldb.com/?id.316241

Third Party Advisory

vuldb.com/?submit.614089

Permissions Required

vuldb.com/?ctiid.316241

Product

tenda.com.cn