CVE-2025-12212
Published: 27 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-12212 is a stack-based buffer overflow vulnerability affecting the Tenda O3 firmware version 1.0.0.10(2478). The issue resides in the SetValue and GetValue functions within the /goform/setNetworkService file, where manipulation of the upnpEn argument triggers the overflow. Associated with CWE-119 and CWE-121, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-10-27.
An attacker with low privileges, such as an authenticated user, can exploit this remotely over the network with low complexity and no user interaction required. Successful exploitation grants high impacts across confidentiality, integrity, and availability, enabling potential remote code execution on the affected device.
Advisories from VulDB detail the vulnerability and reference a public exploit available on GitHub at https://github.com/noahze01/IoT-vulnerable/blob/main/Tenda/O3v2.0/setNetworkService.md. No specific patches or mitigations are outlined in the provided sources; practitioners should consult the vendor site at https://www.tenda.com.cn/ for updates.
The exploit is publicly available and could be used for attacks, increasing the risk for unpatched Tenda O3 deployments.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stack-based buffer overflow in the remote web endpoint /goform/setNetworkService (upnpEn parameter) on Tenda O3 router enables remote code execution via exploitation of a public-facing application.