CVE-2025-12214
Published: 27 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-12214 is a stack-based buffer overflow vulnerability affecting the Tenda O3 router on firmware version 1.0.0.10(2478). The flaw exists in the SetValue and GetValue functions of the /goform/sysAutoReboot file, where manipulation of the "enable" argument triggers the overflow. This issue, linked to CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), was published on 2025-10-27 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker with low privileges can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, potentially allowing arbitrary code execution on the affected device.
Advisories and references include a GitHub repository detailing the exploit for Tenda O3 v2.0 sysAutoReboot, VulDB entries (CTI ID 329884, ID 329884, submit 673269), and the official Tenda website. The exploit is publicly available and may be used, but no specific patches or mitigations are outlined in the provided details.
The public availability of the exploit underscores the urgency for Tenda O3 users to monitor vendor updates and apply any forthcoming firmware patches.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stack-based buffer overflow in remotely accessible web endpoint (/goform/sysAutoReboot) on Tenda O3 router enables remote exploitation of a public-facing application.