CVE-2025-12236
BaseFortify
Publication date: 2025-10-27
Last updated on: 2026-02-24
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | ch22_firmware | 1.0.0.1 |
| tenda | ch22 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-12236 is a critical buffer overflow vulnerability in the Tenda CH22 router firmware version 1.0.0.1. It occurs in the fromDhcpListClient() function within the /goform/DhcpListClient endpoint, where a user-controlled "page" parameter is copied into a fixed-size buffer of 256 bytes using the unsafe sprintf function without proper length checks. If an input larger than 256 bytes is provided, it can overwrite adjacent memory, causing memory corruption, application crashes, or allowing arbitrary code execution. This vulnerability can be exploited remotely without authentication. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to several severe impacts: denial of service through application crashes, unauthorized arbitrary code execution potentially allowing full control over the device, and leakage of sensitive information from device memory. Since exploitation requires no authentication and can be performed remotely, it poses a significant risk to device stability, data confidentiality, and overall system security. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring network traffic for POST requests to the /goform/DhcpListClient endpoint containing an unusually large "page" parameter (greater than 256 bytes). A practical detection method is to capture and analyze HTTP POST requests targeting this endpoint and check the size of the "page" parameter. For example, using tools like tcpdump or Wireshark to filter HTTP POST requests to /goform/DhcpListClient, or using curl or similar tools to test the endpoint with oversized inputs. A sample command to test the vulnerability could be: curl -X POST -d "page=$(python3 -c 'print("A"*300)')" http://<target-ip>/goform/DhcpListClient. Additionally, intrusion detection systems (IDS) can be configured to alert on oversized POST parameters to this endpoint. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Restricting access to the vulnerable /goform/DhcpListClient endpoint by network segmentation or firewall rules to limit exposure. 2) Applying input validation and sanitization to ensure the "page" parameter does not exceed 256 bytes, rejecting or truncating oversized inputs. 3) Replacing unsafe functions like sprintf with safer alternatives such as snprintf in the firmware code. 4) Running services with the least privilege to limit potential damage. 5) Monitoring for exploit attempts and applying any available firmware updates or patches from the vendor. If no patch is available, consider replacing the affected device with a secure alternative. [2]