CVE-2025-25678
Published: 20 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-25678 is a buffer overflow vulnerability (CWE-120) affecting the Tenda i12 router on firmware version V1.0.0.10(3805). The flaw exists in the formSetCfm function, triggered via a specially crafted funcpara1 parameter, and was published on 2025-02-20.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable over the network with low complexity, no privileges, no user interaction, and no change in scope. Remote attackers can thus trigger the buffer overflow without authentication, potentially achieving high impacts on confidentiality, integrity, and availability, such as arbitrary code execution or system crashes.
Details on the vulnerability, including a proof-of-concept, are documented in the GitHub repository at https://github.com/jangfan/my-vuln/blob/main/Tenda/i12V1/setcfm.md. No vendor advisories or patches are referenced in the available information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Buffer overflow in unauthenticated public-facing web form (formSetCfm) on router enables remote code execution, directly matching exploitation of public-facing applications.