CVE-2025-12274

CVE-2025-12274 is a buffer overflow vulnerability affecting Tenda CH22 firmware version 1.0.0.1. The issue resides in the fromP2pListFilter function within the /goform/P2pListFilter file, where manipulation of the "page" argument triggers the overflow. Associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input), it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

An attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) and without requiring user interaction (UI:N). Successful exploitation allows high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) within the unchanged scope (S:U), potentially enabling arbitrary code execution or denial of service on the affected device.

Advisories and details are available via VulDB entries (ctiid.329946, id.329946, submit.674165) and a GitHub issue at QIU-DIE/CVE/issues/23, with the vendor site at tenda.com.cn listed as a reference. The exploit has been publicly disclosed and may be used, though no specific patch or mitigation steps are detailed in the available information.