CVE-2025-12618
Published: 03 November 2025
Description
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Security Summary
CVE-2025-12618 is a buffer overflow vulnerability in Tenda AC8 routers running firmware version 16.03.34.06. The flaw affects an unknown function in the /goform/DatabaseIniSet file, where manipulation of the "Time" argument triggers the overflow. Published on 2025-11-03, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is linked to CWEs 119 and 120.
The vulnerability enables remote exploitation by attackers possessing low privileges, such as authenticated users on the device. Successful attacks can result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution or device takeover.
Advisories and further details are documented on VulDB (https://vuldb.com/?ctiid.330912, https://vuldb.com/?id.330912, https://vuldb.com/?submit.678887) and the Tenda vendor site (https://www.tenda.com.cn/). A proof-of-concept exploit has been publicly disclosed, including at https://pan.baidu.com/s/11fdpTujKw6Xz0yPE2l4cMw.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Buffer overflow in Tenda AC8 router's remote web interface (/goform/DatabaseIniSet) enables remote exploitation for initial access or code execution on a public-facing application or remote service.