CVE-2025-8180 – A critical buffer overflow vulnerability in Ten... (How to Fix)

Q: What is the severity of CVE-2025-8180?

CVE-2025-8180 has a CVSS score of 8.8 (HIGH). A critical buffer overflow vulnerability in Tenda CH22 routers allows remote attackers to execute arbitrary code by manipulating the 'old_account' parameter in the formdeleteUserName function. This affects Tenda CH22 version 1.0.0.1 routers with the vulnerable firmware. Attackers can exploit this without authentication to potentially take full control of affected devices.

📋 TL;DR

A critical buffer overflow vulnerability in Tenda CH22 routers allows remote attackers to execute arbitrary code by manipulating the 'old_account' parameter in the formdeleteUserName function. This affects Tenda CH22 version 1.0.0.1 routers with the vulnerable firmware. Attackers can exploit this without authentication to potentially take full control of affected devices.

💻 Affected Systems

Products:

Tenda CH22

Versions: 1.0.0.1

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running the affected firmware version are vulnerable by default. The vulnerable endpoint /goform/deleteUserName is accessible via HTTP requests.

📦 What is this software?

Ch22 Firmware by Tenda

View all CVEs affecting Ch22 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, lateral movement to internal networks, persistent backdoor installation, and data exfiltration.

🟠

Likely Case

Remote code execution resulting in device takeover, denial of service, or credential theft from connected devices.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering, though internal exploitation remains possible.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication, and many routers are directly exposed to the internet.

🏢 Internal Only: HIGH - Even internally, the vulnerability can be exploited by any network-adjacent attacker to compromise the router.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub, making weaponization straightforward. The buffer overflow manipulation is well-documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.tenda.com.cn/

Restart Required: Yes

Instructions:

1. Check Tenda's official website for firmware updates. 2. If available, download the latest firmware for CH22. 3. Access router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and apply the new firmware. 6. Reboot the router.

🔧 Temporary Workarounds

Network Segmentation and Access Control

linux

Restrict access to the router's web interface and administrative endpoints

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

Disable Remote Administration

all

Turn off remote management features to prevent external exploitation

🧯 If You Can't Patch

Isolate affected routers in a dedicated VLAN with strict firewall rules blocking all unnecessary traffic
Implement network monitoring for exploitation attempts targeting /goform/deleteUserName endpoint

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via admin interface. If version is 1.0.0.1, the device is vulnerable.

Check Version:

curl -s http://router-ip/login/Auth | grep -i version || Check web interface System Status page

Verify Fix Applied:

After firmware update, verify version is no longer 1.0.0.1. Test if /goform/deleteUserName endpoint still accepts malformed old_account parameters.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /goform/deleteUserName with unusually long old_account parameters
Router crash/restart logs following web interface access

Network Indicators:

HTTP traffic to router IP on port 80 with POST to /goform/deleteUserName containing buffer overflow patterns
Unusual outbound connections from router after exploitation

SIEM Query:

source="router_logs" AND url="/goform/deleteUserName" AND (param_length>100 OR contains(param,"AAAAAAAA"))

📊 Metadata

CVE ID: CVE-2025-8180

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

EPSS Score: 0.37% exploit probability (58.2th percentile)

Published: July 26, 2025

Last Updated: August 5, 2025

🔗 References

https://github.com/zhu-haiqin/cve/issues/1 Broken Link
https://vuldb.com/?ctiid.317594 Permissions Required,VDB Entry
https://vuldb.com/?id.317594 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.621964 Third Party Advisory,VDB Entry
https://www.tenda.com.cn/ Product
https://github.com/zhu-haiqin/cve/issues/1 Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-8180, you might also want to check these: