CVE-2025-12235
BaseFortify
Publication date: 2025-10-27
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | ch22_firmware | 1.0.0.1 |
| tenda | ch22 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-12235 is a critical buffer overflow vulnerability in the Tenda CH22 router version 1.0.0.1. It occurs in the fromSetIpBind() function within the /goform/SetIpBind endpoint, where a user-controlled "page" parameter is processed using the unsafe sprintf function. This function writes data into a fixed-size buffer of 256 bytes without checking the input length. If an attacker sends input larger than 256 bytes, it causes a buffer overflow, overwriting adjacent memory and leading to memory corruption. This can result in application crashes, denial of service, arbitrary code execution, or information leakage. Exploitation requires the attacker to be on the local network and no authentication is needed. [2, 3, 4]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including causing the router application to crash (denial of service), allowing attackers to execute arbitrary code on the device, take full control of the router, monitor network traffic, and use the compromised device as a pivot point for further attacks within the local network. It threatens device stability, data confidentiality, and overall network security. [2, 3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious POST requests to the /goform/SetIpBind endpoint with an unusually large "page" parameter (greater than 256 bytes). Detection can involve inspecting network traffic for such requests originating from the local network. A practical approach is to capture and analyze HTTP POST requests targeting /goform/SetIpBind and check the size of the "page" parameter. For example, using tools like tcpdump or Wireshark to capture traffic, or using curl or similar tools to test the endpoint with oversized payloads. A sample command to test the vulnerability could be: curl -X POST http://<router-ip>/goform/SetIpBind -d "page=$(python3 -c 'print("A"*2048)')". Monitoring logs for crashes or abnormal behavior of the router after such requests can also indicate exploitation attempts. [2, 3, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable /goform/SetIpBind endpoint to trusted users only, ideally limiting access to necessary administrative personnel within the local network. Applying input validation and length checks on the "page" parameter to ensure it does not exceed 256 bytes is critical. If possible, update or patch the firmware to a version where the sprintf function is replaced with safer functions like snprintf, and input sanitization is implemented. Additionally, applying the principle of least privilege to services and restricting access to sensitive memory and configuration areas can reduce risk. Monitoring for exploitation attempts and disabling or isolating vulnerable devices until a patch is applied is also recommended. [2, 4]