CVE-2025-12232
BaseFortify
Publication date: 2025-10-27
Last updated on: 2026-02-24
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | ch22_firmware | 1.0.0.1 |
| tenda | ch22 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-12232 is a critical buffer overflow vulnerability in the Tenda CH22 router firmware version 1.0.0.1. It exists in the fromSafeClientFilter() function of the /goform/SafeClientFilter endpoint, where the "page" parameter is copied into a fixed-size 256-byte buffer using the unsafe sprintf function without length checks. If an attacker sends a "page" parameter larger than 256 bytes, it causes a buffer overflow, overwriting adjacent memory. This flaw can be exploited remotely without authentication by sending a specially crafted POST request. [1, 2, 3]
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to denial of service by crashing the router's web server process, making the device management interface unavailable. It can also allow arbitrary code execution by overwriting the stack return address, enabling attackers to run malicious code and gain full control over the device. Additionally, it may cause information leakage by exposing sensitive device memory contents. Overall, it threatens device stability, data confidentiality, integrity, and availability. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending a specially crafted POST request to the /goform/SafeClientFilter endpoint with an oversized "page" parameter (e.g., more than 256 bytes). A practical detection method is to use a command-line tool like curl to send such a request and observe if the device crashes or behaves abnormally. For example, you can use the following command to test the vulnerability: curl -X POST http://<target-ip>/goform/SafeClientFilter -d "page=$(python3 -c 'print("a"*2048)')" If the device crashes, becomes unresponsive, or the web interface is inaccessible after this request, it indicates the presence of the vulnerability. Monitoring network traffic for unusual POST requests to /goform/SafeClientFilter with large payloads can also help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: - Restrict or block remote access to the /goform/SafeClientFilter endpoint to prevent exploitation. - Apply input validation and length checks on the "page" parameter to ensure it does not exceed 256 bytes. - Replace unsafe functions like sprintf with safer alternatives such as snprintf in the firmware. - Run the affected service with the least privilege to limit potential damage. - If possible, update the device firmware to a version where this vulnerability is fixed or replace the affected product with a secure alternative. - Monitor the device for signs of exploitation and consider isolating it from critical network segments until patched. [1, 3]