CVE-2025-12622
Published: 03 November 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-12622 is a buffer overflow vulnerability affecting the Tenda AC10 router running firmware version 16.03.10.13. The flaw exists in the formSysRunCmd function of the /goform/SysRunCmd file, where manipulation of the "getui" argument triggers the buffer overflow. It is classified under CWE-119 and CWE-120, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
The vulnerability enables remote exploitation by attackers who possess low privileges, such as authenticated users with network access. Exploitation requires low attack complexity and no user interaction, allowing adversaries to achieve high confidentiality, integrity, and availability impacts. This could result in arbitrary code execution, data leakage, system modification, or denial of service on the affected device.
Advisories detailing the issue are available from VulDB at https://vuldb.com/?ctiid.330914, https://vuldb.com/?id.330914, and https://vuldb.com/?submit.678889, along with a proof-of-concept at https://pan.baidu.com/s/1Jl1zy5niigg1XYm8ZCh_Lg and the vendor site at https://www.tenda.com.cn/. The CVE description notes that the exploit has been publicly disclosed and may be utilized.
The vulnerability was published on 2025-11-03, highlighting the need for immediate firmware updates or network segmentation for exposed Tenda AC10 devices.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The remote buffer overflow vulnerability in the Tenda AC10 router's web management interface (/goform/SysRunCmd) allows unauthenticated attackers to potentially achieve remote code execution by exploiting a public-facing application.