Primary

Context

Tenda AC23 Buffer Overflow Vulnerability in formSetPPTPUserList Function

Vulnerability

A buffer overflow vulnerability has been identified in the Tenda AC23 router, specifically in the version 16.03.07.52. The issue arises in the formSetPPTPUserList function within the HTTP POST request handler. The vulnerability can be exploited remotely by manipulating the 'list' parameter in a POST request, leading to unauthorized memory access and potential code execution.

Impact

Exploitation of this vulnerability causes a buffer overflow, which can lead to arbitrary code execution by overwriting the memory stack.

Reproduction

To reproduce this vulnerability, send a POST request to the router's HTTP server with a crafted 'list' parameter that exceeds the buffer size expected by the formSetPPTPUserList function. This can be done using a variety of tools that allow for HTTP request manipulation, such as Burp Suite or Postman.

Added: Dec 30, 2025, 3:17 AM

Updated: Dec 30, 2025, 3:17 AM

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

10.0

exploitability

6.2

remediation

0.0

relevance

1.8

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

10.0

exploitability

6.2

remediation

0.0

relevance

1.8

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tenda AC23 Buffer Overflow Vulnerability in formSetPPTPUserList Function

Vulnerability

Impact

Reproduction

Affected Products

Tenda AC23

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating