CVE-2025-12210

CVE-2025-12210 is a stack-based buffer overflow vulnerability affecting the Tenda O3 router on firmware version 1.0.0.10(2478). The flaw resides in the SetValue and GetValue functions within the /goform/AdvSetLanip file, where manipulation of the lanIp argument triggers the overflow. This issue corresponds to CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity. A remote attacker with low privileges can exploit it over the network with low complexity and no user interaction required. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially enabling remote code execution.

References include a GitHub repository hosting a publicly available exploit at https://github.com/noahze01/IoT-vulnerable/blob/main/Tenda/O3v2.0/AdvSetLanip.md, along with VulDB entries at https://vuldb.com/?ctiid.329880, https://vuldb.com/?id.329880, and https://vuldb.com/?submit.673264. The Tenda website at https://www.tenda.com.cn/ is also referenced, though no specific mitigation or patch details are outlined in the provided information.