CVE-2025-12272
Published: 27 October 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-12272 is a buffer overflow vulnerability in Tenda CH22 firmware version 1.0.0.1. The flaw affects the fromAddressNat function in the /goform/addressNat file, where manipulation of the "page" argument triggers the overflow. Published on 2025-10-27, it is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input).
The vulnerability enables remote exploitation by an attacker possessing low privileges, as indicated by its CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). A successful attack requires network access with low complexity and no user interaction, allowing the attacker to compromise confidentiality, integrity, and availability to a high degree, potentially resulting in remote code execution or system disruption.
VulDB advisories (e.g., ctiid.329944, id.329944) document the issue and recent submission details, while a proof-of-concept exploit is publicly available on GitHub at https://github.com/QIU-DIE/CVE/issues/21. The vendor site https://www.tenda.com.cn/ is referenced, but no specific patch or mitigation guidance is detailed in the provided sources.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated buffer overflow in public-facing router web interface (/goform/addressNat) enables remote exploitation of public-facing application (T1190) and application/system denial of service via crash (T1499.004); potential for RCE facilitates device compromise.