CVE-2025-12273
Published: 27 October 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-12273 is a buffer overflow vulnerability in Tenda CH22 firmware version 1.0.0.1. The flaw affects the fromwebExcptypemanFilter function in the /goform/webExcptypemanFilter file, where manipulation of the "page" argument triggers the overflow. Published on 2025-10-27, it is associated with CWE-119 and CWE-120.
The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating network-accessible exploitation with low complexity and low privileges required, without user interaction. Remote attackers with low privileges can exploit it to achieve high impacts on confidentiality, integrity, and availability, potentially compromising the device.
Advisories are documented on VulDB (ctiid.329945, id.329945, submit.674161) and a GitHub issue at QIU-DIE/CVE/issues/22, with the Tenda website referenced. An exploit is publicly available and could be used for attacks, though specific mitigation or patch details are not outlined in the available information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Buffer overflow in unauthenticated web endpoint (/goform/webExcptypemanFilter) enables remote exploitation of public-facing application for arbitrary code execution (T1190) and denial of service via crashes (T1499.004).