Overview
A critical vulnerability, identified as CVE-2025-10120, has been found in Tenda AC20 routers up to version 16.03.08.12, a widely used network device for both home and business users. This vulnerability exists in the strcpy function of the /goform/GetParentControlInfo file and can be exploited remotely. Given the severity of the vulnerability and its potential implications on system security, it’s crucial for network administrators and users of Tenda AC20 routers to understand the risk and take immediate actions to mitigate it.
The public disclosure of this exploit means that malicious entities may already be aware of the vulnerability and could potentially be using it to compromise systems or exfiltrate sensitive data. The risk is high and immediate action is required.
Vulnerability Summary
CVE ID: CVE-2025-10120
Severity: Critical (CVSS: 8.8)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: System compromise and potential data leakage
Affected Products
Escape the Surveillance Era
Most apps won’t tell you the truth.
They’re part of the problem.
Phone numbers. Emails. Profiles. Logs.
It’s all fuel for surveillance.
Ameeba Chat gives you a way out.
- • No phone number
- • No email
- • No personal info
- • Anonymous aliases
- • End-to-end encrypted
Chat without a trace.
Product | Affected Versions
Tenda AC20 | Up to 16.03.08.12
How the Exploit Works
The vulnerability lies in the strcpy function of the /goform/GetParentControlInfo file. When a malicious entity manipulates the mac argument, it can lead to a buffer overflow. The buffer overflow can then be used to execute arbitrary code in the context of the router’s operating system, allowing an attacker to compromise the system or exfiltrate data.
Conceptual Example Code
An attacker might exploit this vulnerability by sending a specially crafted HTTP request to the router. The following is a conceptual example of how the vulnerability might be exploited, using a hypothetical malicious payload:
POST /goform/GetParentControlInfo HTTP/1.1
Host: target.example.com
Content-Type: application/x-www-form-urlencoded
mac=AA:BB:CC:DD:EE:FF%00[PADDING][REVERSED_SHELL_CODE]In this example, “[PADDING]” represents a sequence of bytes crafted to overflow the buffer, and “[REVERSED_SHELL_CODE]” is the malicious code that the attacker wants to execute on the router’s operating system.
Please note: this is a conceptual example and not a real exploit code. It’s designed to illustrate how an attacker might exploit the vulnerability.
Mitigation Guidance
Users and administrators are advised to apply the vendor’s patch as soon as possible. If the patch cannot be applied immediately, a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can be used as a temporary mitigation measure. However, these are not long-term solutions and may not fully protect the system from being compromised. Updating the router’s firmware to the latest patched version remains the most effective way to mitigate this vulnerability.
