CVE-2025-12272
BaseFortify
Publication date: 2025-10-27
Last updated on: 2026-02-24
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | ch22_firmware | 1.0.0.1 |
| tenda | ch22 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-12272 is a critical buffer overflow vulnerability in the Tenda CH22 router version 1.0.0.1. It exists in the fromAddressNat() function within the /goform/addressNat endpoint. The vulnerability arises because the function uses the unsafe sprintf function to copy a user-controlled "page" parameter into a fixed-size buffer of 256 bytes without checking the input length. If an attacker sends input larger than 256 bytes, it causes a buffer overflow, overwriting adjacent memory. This can lead to application crashes, memory corruption, arbitrary code execution, and leakage of sensitive information. The exploit can be initiated remotely without authentication. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can severely impact you by allowing remote attackers to crash the application (Denial of Service), execute arbitrary code on the device (potentially gaining full control), and leak sensitive information from device memory. This compromises the confidentiality, integrity, and availability of the device and its data. Since exploitation requires no authentication and a public proof-of-concept exploit exists, the risk of attack is high. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious POST requests to the /goform/addressNat endpoint with an oversized "page" parameter exceeding 256 bytes. A detection method involves capturing network traffic and filtering for POST requests targeting /goform/addressNat with unusually large payloads in the "page" parameter. For example, using a tool like tcpdump or Wireshark to capture traffic and then filtering HTTP POST requests to /goform/addressNat. Additionally, you can use curl or similar tools to test the endpoint by sending a POST request with a large "page" parameter (e.g., 2048 bytes) to see if the device crashes or behaves abnormally, indicating vulnerability. Example command to test manually: curl -X POST http://<router-ip>/goform/addressNat -d "page=$(head -c 2048 /dev/zero | tr '\0' 'A')" [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the /goform/addressNat endpoint to trusted networks only, applying network-level filtering or firewall rules to block suspicious POST requests with large payloads targeting this endpoint, and limiting the privileges of the affected service to reduce impact. Since no official patch or fix is currently available, consider replacing the affected product with a more secure alternative. Additionally, monitor the device for signs of exploitation such as crashes or abnormal behavior. Long-term remediation involves updating the firmware to a version that replaces unsafe functions like sprintf with safer alternatives such as snprintf, and implementing strict input validation and length checks on the "page" parameter. [1, 2, 3]