CVE-2025-5629

Name of the Vulnerable Software and Affected Versions Tenda AC10 versions up to 15.03.06.47

Description A critical issue was found in the HTTP Handler component, specifically affecting the formSetPPTPServer function of the /goform/SetPptpServerCfg file. The manipulation of the startIp and endIp arguments leads to a buffer overflow. This issue can be exploited remotely.

Recommendations For Tenda AC10 versions up to 15.03.06.47, as a temporary workaround, consider restricting access to the /goform/SetPptpServerCfg endpoint until a patch is available. Avoid using the startIp and endIp arguments in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.