CVE-2025-12595
Published: 02 November 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-12595 is a buffer overflow vulnerability affecting Tenda AC23 routers running firmware version 16.03.07.52. The flaw resides in the formSetVirtualSer function of the /goform/SetVirtualServerCfg file, where manipulation of the argument list triggers the overflow. Classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input), it was published on 2025-11-02 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Attackers can exploit this vulnerability remotely over the network with low complexity and low privileges, such as those of an authenticated user. Successful exploitation grants high impacts on confidentiality, integrity, and availability, potentially allowing arbitrary code execution or denial of service. A public exploit is available, increasing the risk of real-world attacks against exposed Tenda AC23 devices.
Advisories from VulDB (ctiid.330890, id.330890, submit.677581) and a GitHub issue (LX-LX88/cve/issues/8) document the vulnerability details and public exploit. The Tenda website (tenda.com.cn) serves as a reference for vendor communications, though specific patch information is not detailed in the available data. Security practitioners should monitor these sources for mitigation guidance and firmware updates.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated remote buffer overflow in the router's public-facing web management interface (/goform/SetVirtualServerCfg) enables initial access through exploitation of a public-facing application (T1190) and denial of service via application crash or disruption (T1499.004). Potential RCE and info leakage further facilitated.