Login Sign Up

CVE-2025-3237

5.3 MEDIUM
Authentication Bypass

📋 TL;DR

This vulnerability in Tenda FH1202 routers allows attackers to bypass access controls via the /goform/wrlwpsset endpoint, potentially enabling unauthorized configuration changes or system compromise. It affects users running Tenda FH1202 firmware version 1.2.0.14(408). The vulnerability can be exploited remotely without authentication.

💻 Affected Systems

Products:
  • Tenda FH1202
Versions: 1.2.0.14(408)
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the specific firmware version only. Other Tenda models or firmware versions may not be vulnerable.

📦 What is this software?

Fh1202 Firmware by Tenda

View all CVEs affecting Fh1202 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router takeover allowing network traffic interception, DNS hijacking, or deployment of persistent malware on the router.

🟠

Likely Case

Unauthorized configuration changes, network disruption, or credential theft from connected devices.

🟢

If Mitigated

Limited impact if proper network segmentation and firewall rules prevent external access to router management interface.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely, making internet-exposed routers immediate targets.
🏢 Internal Only: MEDIUM - Internal attackers could exploit this to gain router administrative privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit details available in disclosed references. Attack requires network access to router management interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.tenda.com.cn/

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates. 2. If update available, download and install via router web interface. 3. Reboot router after update. 4. Verify firmware version changed from 1.2.0.14(408).

🔧 Temporary Workarounds

Disable WAN Management Access

all

Prevent external access to router management interface

Change Default Admin Credentials

all

Use strong, unique admin password

🧯 If You Can't Patch

  • Isolate router on separate VLAN with strict firewall rules
  • Implement network monitoring for suspicious access to /goform/wrlwpsset endpoint

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in web interface. If version is exactly 1.2.0.14(408), device is vulnerable.

Check Version:

Check via router web interface at 192.168.0.1 or 192.168.1.1 (default)

Verify Fix Applied:

Verify firmware version has changed from 1.2.0.14(408) after update.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to /goform/wrlwpsset from unauthorized IPs
  • Unusual configuration changes in router logs

Network Indicators:

  • Unusual POST requests to router management interface
  • Traffic to /goform/wrlwpsset from external sources

SIEM Query:

source="router_logs" AND (uri="/goform/wrlwpsset" OR message="wrlwpsset")

📊 Metadata

CVE ID: CVE-2025-3237
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-266
EPSS Score: 0.67% exploit probability (70.9th percentile)
Published: April 4, 2025
Last Updated: May 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-3237, you might also want to check these:

CVE-2026-23800 10.0

This vulnerability allows attackers to escalate privileges in Modular DS modular-connector WordPress...

Same vulnerability type (CWE-266)
CVE-2026-23550 10.0

This critical vulnerability in Modular DS allows attackers to escalate privileges due to incorrect p...

Same vulnerability type (CWE-266)
CVE-2025-41115 10.0

A critical vulnerability in Grafana's SCIM provisioning allows malicious SCIM clients to provision u...

Same vulnerability type (CWE-266)