CVE-2025-12213
Published: 27 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-12213 is a stack-based buffer overflow vulnerability affecting the Tenda O3 router on firmware version 1.0.0.10(2478). The flaw exists in the SetValue and GetValue functions of the /goform/setVlanConfig file, triggered by manipulation of the "lan" argument. It is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The vulnerability enables remote exploitation by attackers possessing low privileges. Attackers can send crafted requests to the affected endpoint, causing a stack buffer overflow that compromises confidentiality, integrity, and availability with high impact. Published on 2025-10-27, the exploit has been publicly disclosed and may be actively used.
References, including a GitHub proof-of-concept at github.com/noahze01/IoT-vulnerable/blob/main/Tenda/O3v2.0/setVlanConfig.md and VulDB entries (vuldb.com/?ctiid.329883, vuldb.com/?id.329883), detail the issue but do not specify patches. Security practitioners should monitor the vendor site at tenda.com.cn for mitigation guidance or firmware updates.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stack-based buffer overflow in the publicly accessible web endpoint /goform/setVlanConfig of Tenda O3 router enables remote code execution via exploitation of a public-facing application.