CVE-2025-12233
Published: 27 October 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-12233 is a buffer overflow vulnerability affecting Tenda CH22 firmware version 1.0.0.1, published on 2025-10-27. The flaw resides in the fromSafeUrlFilter function within the /goform/SafeUrlFilter file, where manipulation of the "page" argument triggers the overflow. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWEs-119 and CWE-120.
A remote attacker with low privileges can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, such as arbitrary code execution or denial of service. An exploit has been publicly disclosed and may be actively used.
Advisories and additional details are documented in references including a GitHub issue at https://github.com/QIU-DIE/CVE/issues/14, VulDB entries at https://vuldb.com/?ctiid.329903, https://vuldb.com/?id.329903, and https://vuldb.com/?submit.673714, as well as the vendor site at https://www.tenda.com.cn/. No specific patch or mitigation guidance is detailed in the CVE description.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated remote buffer overflow in the router's web management interface (/goform/SafeUrlFilter) enables exploitation of public-facing applications (T1190), remote services (T1210), and application/system crashes for DoS (T1499.004), potentially leading to arbitrary code execution and information disclosure.