CVE-2025-12212
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-27

Last updated on: 2026-02-24

Assigner: VulDB

Description
A weakness has been identified in Tenda O3 1.0.0.10(2478). This affects the function SetValue/GetValue of the file /goform/setNetworkService. This manipulation of the argument upnpEn causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-27
Last Modified
2026-02-24
Generated
2026-06-16
AI Q&A
2025-10-27
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12212
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
tenda o3_firmware1.0.0.10\(2478\) *
tenda o3 2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include restricting remote access to the vulnerable endpoint "/goform/setNetworkService" on affected Tenda O3 devices, applying network-level filtering to block malicious POST requests containing the "upnpEn" parameter, and monitoring for exploit attempts. Since the vulnerability allows remote exploitation, limiting exposure to untrusted networks is critical. Additionally, updating the device firmware to a patched version when available is recommended. No specific patch or workaround details are provided in the resources. [1]

Executive Summary

CVE-2025-12212 is a stack-based buffer overflow vulnerability in the Tenda O3 firmware version 1.0.0.10(2478). It occurs due to improper handling of the 'upnpEn' parameter submitted to the /goform/setNetworkService endpoint. The firmware does not properly validate or limit the size of this input, which allows an attacker to overflow the stack. This flaw can be exploited remotely and the exploit code is publicly available. [1]

Impact Analysis

Exploiting this vulnerability could allow an attacker to execute arbitrary code on the affected device or cause a denial of service. This means an attacker could potentially take control of the device remotely or disrupt its normal operation. [1]

Detection Guidance

This vulnerability can be detected by monitoring or testing for the presence of the vulnerable endpoint "/goform/setNetworkService" on Tenda O3 devices running firmware version 1.0.0.10(2478). Specifically, sending crafted POST requests with the "upnpEn" parameter to this endpoint and observing for abnormal behavior such as crashes or buffer overflow symptoms can indicate the vulnerability. Network scanning tools or custom scripts can be used to detect devices responding to this endpoint. However, no specific detection commands are provided in the available resources. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12212. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart