CVE-2025-12611
Published: 03 November 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-12611 is a buffer overflow vulnerability (CWE-119, CWE-120) in Tenda AC21 routers running firmware version 16.03.08.16. The flaw affects the formSetPPTPServer function in the /goform/SetPptpServerCfg file, where manipulation of the startIp argument triggers the overflow.
The vulnerability enables remote exploitation by attackers with low privileges (PR:L), requiring network access, low complexity, and no user interaction, as indicated by its CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially allowing full compromise of the affected device. A public exploit is available and might be used.
Advisories and additional details are available via references including VulDB entries (ctiid.330906, id.330906, submit.678491), a GitHub issue at LX-LX88/cve/issues/10, and the Tenda website at tenda.com.cn. Practitioners should consult these for any patch availability or mitigation guidance.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated remote buffer overflow in router web management interface (/goform/SetPptpServerCfg) enables exploitation of public-facing application for RCE (T1190) and application crash/DoS (T1499.004), with public PoC available.