Search
On this page ▾
CVE-2021-31755 — Tenda AC11 Router Stack Buffer Overflow Vulnerability

CVE-2021-31755

Tenda AC11 — Stack Buffer Overflow in /goform/setmac POST Handler Enabling Unauthenticated Root RCE, Exploited by IoT Botnets
🔥 CVSS 3.1  9.8 / 10 — CRITICAL 🔴 CISA Known Exploited Vulnerability

What is the Tenda AC11?

Tenda is a Chinese consumer networking equipment manufacturer with significant market share in the SOHO (small office/home office) router market globally. The AC11 is a dual-band 802.11ac wireless router targeted at home and small business users. Consumer routers like the AC11 are frequent IoT botnet targets because they run internet-facing services with limited update mechanisms, are often purchased and never patched, run embedded Linux as root with no privilege separation, and exist in enormous numbers worldwide. Compromised routers are used as botnet nodes for DDoS attacks, proxy infrastructure, and cryptomining.

Overview

CVE-2021-31755 is a stack buffer overflow vulnerability (CWE-787) in the Tenda AC11 router's web management interface. The /goform/setmac POST handler processes user-supplied MAC address parameters by copying them into a fixed-size stack buffer using unsafe string operations without length validation. An unauthenticated remote attacker can send a crafted POST request with an oversized MAC address value to overflow the stack buffer, overwrite the return address, and achieve arbitrary code execution as root on the router. IoT botnet operators incorporated this vulnerability for mass recruitment of Tenda AC11 routers shortly after disclosure.

Affected Versions

Product Vulnerable Fixed
Tenda AC11 firmware versions before fix Yes Contact Tenda for updated firmware

Technical Details

The setmac handler in the Tenda AC11 firmware is responsible for processing MAC address configuration changes submitted via the router's web administration interface:

  • Root cause: Out-of-bounds write / stack buffer overflow (CWE-787) — the setmac handler copies the user-supplied MAC address parameter into a fixed-size stack buffer using strcpy() or equivalent without checking the input length
  • Overflow mechanics: When the POST body contains a MAC address parameter longer than the buffer size, the overflow overwrites the saved return address on the stack, allowing an attacker to redirect execution
  • Authentication required: None — the /goform/setmac endpoint is accessible without prior authentication on many AC11 configurations
  • Execution context: The router's web server (httpd) runs as root on the embedded Linux OS; successful exploitation achieves root-level command execution
  • Exploitation simplicity: Stack buffer overflows in MIPS or ARM embedded Linux environments (common in consumer routers) are often straightforward to exploit due to the absence of modern memory protections like ASLR and stack canaries in older firmware builds

Discovery

Identified by security researchers studying SOHO router vulnerabilities. The vulnerability follows a pattern common to many consumer routers from this era: web form handlers that use unsafe C string functions without bounds checking.

Exploitation Context

Consumer router vulnerabilities like CVE-2021-31755 are primary recruitment vectors for Mirai-variant botnets and their successors (Mozi, Satori, Cyclops Blink). Botnet operators maintain automated scanners that identify internet-exposed router admin interfaces and attempt exploitation. A compromised router is typically enrolled as a botnet node within seconds of exploitation, used for DDoS amplification attacks, credential stuffing proxies, or as a stepping stone for further network intrusion. The long tail of unpatched consumer routers means exploits for vulnerabilities like CVE-2021-31755 remain active years after disclosure, as many devices are never updated.

Remediation

  1. Check Tenda's support website for firmware updates addressing CVE-2021-31755 for the AC11
  2. Disable remote management — ensure the router's web administration interface is not accessible from the WAN (internet-facing) interface. This is the single most effective mitigation for most consumer router vulnerabilities
  3. Change the default admin credentials to a strong, unique password
  4. If the router cannot be patched and remote management cannot be fully disabled, consider replacing it with a currently-supported model that receives regular firmware updates
  5. Monitor for unusual outbound connections from the router (high bandwidth, unusual destinations) that may indicate botnet activity
  6. Check whether your router is exposed via Shodan or Censys by searching for your public IP — unexpected web services visible from the internet indicate a misconfiguration

Key Details

PropertyValue
CVE ID CVE-2021-31755
Vendor / Product Tenda — AC11 Router
NVD Published2021-05-07
NVD Last Modified2025-11-10
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-787 find similar ↗
CISA KEV Added2021-11-03
CISA KEV Deadline2021-11-17
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2021-11-17. Apply updates per vendor instructions.

Timeline

DateEvent
2021-05-07CVE published; vulnerability in Tenda AC11 setmac handler disclosed
2021-11-03Added to CISA Known Exploited Vulnerabilities catalog
2021-11-17CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2021-31755 Vulnerability Database
CISA KEV Catalog Entry US Government

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML