Login Sign Up

CVE-2025-12235

8.0 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

A buffer overflow vulnerability in Tenda CH22 router firmware version 1.0.0.1 allows attackers on the local network to execute arbitrary code by manipulating the 'page' parameter in the fromSetIpBind function. This could lead to complete device compromise. Only Tenda CH22 routers running the vulnerable firmware are affected.

💻 Affected Systems

Products:
  • Tenda CH22 router
Versions: 1.0.0.1
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the web management interface accessible from the local network.

📦 What is this software?

Ch22 Firmware by Tenda

View all CVEs affecting Ch22 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full router compromise, credential theft, network traffic interception, and lateral movement to other devices.

🟠

Likely Case

Router compromise allowing attacker to modify network settings, intercept traffic, or use the router as a pivot point for further attacks.

🟢

If Mitigated

Limited impact if network segmentation prevents local network access or if the vulnerable interface is disabled.

🌐 Internet-Facing: LOW - Attack requires local network access, not directly exploitable from the internet.
🏢 Internal Only: HIGH - Exploitable from local network with public exploit available.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code available on GitHub, requires local network access but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.tenda.com.cn/

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates. 2. Download latest firmware. 3. Access router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable web management interface

all

Disable the vulnerable web interface to prevent exploitation

Network segmentation

all

Isolate router management interface to trusted VLAN only

🧯 If You Can't Patch

  • Replace affected router with different model or vendor
  • Implement strict network access controls to limit who can reach the router management interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is 1.0.0.1, device is vulnerable.

Check Version:

Check via router web interface at 192.168.0.1 or 192.168.1.1

Verify Fix Applied:

Verify firmware version has been updated to a version later than 1.0.0.1

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /goform/SetIpBind with manipulated page parameter
  • Multiple failed buffer overflow attempts

Network Indicators:

  • Unusual traffic patterns to router management interface from internal hosts
  • Exploit payloads in HTTP requests

SIEM Query:

source_ip IN (internal_range) AND dest_ip = (router_ip) AND url_path = "/goform/SetIpBind" AND http_method = "POST"

📊 Metadata

CVE ID: CVE-2025-12235
CVSS v3 Score: 8.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119
EPSS Score: 0.2% exploit probability (41.9th percentile)
Published: October 27, 2025
Last Updated: October 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12235, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)