CVE-2025-9297 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2025-9297?

CVE-2025-9297 has a CVSS score of 8.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code on Tenda i22 routers by exploiting a stack-based buffer overflow in the web interface. Attackers can send specially crafted requests to the /goform/wxportalauth endpoint to gain control of affected devices. All users running Tenda i22 firmware version 1.0.0.3(4687) are vulnerable.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Tenda i22 routers by exploiting a stack-based buffer overflow in the web interface. Attackers can send specially crafted requests to the /goform/wxportalauth endpoint to gain control of affected devices. All users running Tenda i22 firmware version 1.0.0.3(4687) are vulnerable.

💻 Affected Systems

Products:

Tenda i22

Versions: 1.0.0.3(4687)

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerable endpoint is part of the web management interface, typically accessible on port 80/443. No special configuration is required for exploitation.

📦 What is this software?

I22 Firmware by Tenda

View all CVEs affecting I22 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, network traffic interception, lateral movement to other devices, and botnet recruitment.

🟠

Likely Case

Remote code execution allowing attackers to modify router settings, intercept traffic, or use the device as a pivot point for further attacks.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering, though internal network compromise remains possible.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication and affects internet-facing router interfaces.

🏢 Internal Only: HIGH - Even internally, the vulnerability allows unauthenticated attackers to compromise network infrastructure.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept code exists in GitHub repositories, making exploitation straightforward for attackers with basic skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Tenda's official website for firmware updates. 2. If available, download the latest firmware. 3. Access router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and apply the update. 6. Reboot the router.

🔧 Temporary Workarounds

Disable remote management

all

Prevent external access to the router's web interface by disabling remote management features.

Network segmentation and firewall rules

all

Isolate affected routers in separate network segments and implement strict firewall rules to limit access to management interfaces.

🧯 If You Can't Patch

Replace affected routers with different models or brands that receive security updates
Implement network monitoring and intrusion detection specifically for buffer overflow attempts against the /goform/wxportalauth endpoint

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via admin interface or using nmap to identify Tenda i22 devices running version 1.0.0.3(4687).

Check Version:

Check router web interface at http://[router-ip]/ or use telnet/ssh if available to check version information.

Verify Fix Applied:

Verify firmware version has been updated to a version later than 1.0.0.3(4687) through the router admin interface.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /goform/wxportalauth with manipulated Type parameter
Router crash or reboot logs
Unusual outbound connections from router

Network Indicators:

HTTP requests to router IP on port 80/443 with buffer overflow patterns in Type parameter
Sudden changes in router configuration

SIEM Query:

source="router_logs" AND (url="/goform/wxportalauth" OR url="/goform/wxportalauth") AND (param="Type" OR payload_size>normal)

📊 Metadata

CVE ID: CVE-2025-9297

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

EPSS Score: 0.4% exploit probability (60.4th percentile)

Published: August 21, 2025

Last Updated: September 3, 2025

🔗 References

https://github.com/davybat/IoT-Vuls/blob/main/tenda/formWeixinAuthInfoGet.md Exploit,Third Party Advisory
https://github.com/davybat/IoT-Vuls/blob/main/tenda/formWeixinAuthInfoGet.md#poc Exploit,Third Party Advisory
https://vuldb.com/?ctiid.320902 Permissions Required,VDB Entry
https://vuldb.com/?id.320902 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.632332 Third Party Advisory,VDB Entry
https://www.tenda.com.cn/ Product
https://github.com/davybat/IoT-Vuls/blob/main/tenda/formWeixinAuthInfoGet.md Exploit,Third Party Advisory
https://github.com/davybat/IoT-Vuls/blob/main/tenda/formWeixinAuthInfoGet.md#poc Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-9297, you might also want to check these: