Login Sign Up

CVE-2025-12271

8.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

A buffer overflow vulnerability in Tenda CH22 router firmware version 1.0.0.1 allows remote attackers to execute arbitrary code by manipulating the 'page' parameter in the fromRouteStatic function. This affects all users running the vulnerable firmware version on Tenda CH22 routers. The vulnerability is remotely exploitable without authentication.

💻 Affected Systems

Products:
  • Tenda CH22 router
Versions: 1.0.0.1
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: All devices running the vulnerable firmware version are affected regardless of configuration.

📦 What is this software?

Ch22 Firmware by Tenda

View all CVEs affecting Ch22 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete router compromise, network traffic interception, credential theft, and lateral movement to connected devices.

🟠

Likely Case

Router compromise allowing attacker to modify DNS settings, intercept traffic, or use the router as a botnet node.

🟢

If Mitigated

Limited impact if network segmentation isolates the router and regular credential rotation is implemented.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and routers are typically internet-facing devices.
🏢 Internal Only: MEDIUM - Could still be exploited by internal attackers or malware that has breached the network perimeter.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code is available on GitHub, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.tenda.com.cn/

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates. 2. Download latest firmware. 3. Access router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and install new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable remote administration

all

Prevent external access to router administration interface

Network segmentation

all

Isolate router management interface to separate VLAN

🧯 If You Can't Patch

  • Replace affected routers with patched or different vendor models
  • Implement strict firewall rules blocking all external access to router management interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is 1.0.0.1, device is vulnerable.

Check Version:

Check router web interface or use nmap/router scanning tools to identify firmware version

Verify Fix Applied:

Verify firmware version has been updated to a version later than 1.0.0.1

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /goform/RouteStatic
  • Multiple failed buffer overflow attempts
  • Unexpected router reboots

Network Indicators:

  • Unusual outbound connections from router
  • DNS hijacking patterns
  • Traffic redirection

SIEM Query:

source_ip=router_ip AND (uri_path="/goform/RouteStatic" OR event_description CONTAINS "buffer overflow")

📊 Metadata

CVE ID: CVE-2025-12271
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119
EPSS Score: 0.16% exploit probability (36.9th percentile)
Published: October 27, 2025
Last Updated: October 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12271, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)