CVE-2025-12274
BaseFortify
Publication date: 2025-10-27
Last updated on: 2025-10-28
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | ch22_firmware | 1.0.0.1 |
| tenda | ch22 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-12274 is a critical buffer overflow vulnerability in the Tenda CH22 router firmware version 1.0.0.1. It occurs in the fromP2pListFilter() function within the /goform/P2pListFilter endpoint, where a user-controlled "page" parameter is copied into a fixed-size buffer of 256 bytes using the unsafe sprintf function without proper length checks. If an input larger than 256 bytes is provided, it causes adjacent memory to be overwritten, leading to memory corruption. This flaw can be exploited remotely without authentication. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to several severe impacts including denial of service (DoS) by crashing the web server and making the device management interface inaccessible; arbitrary code execution by overwriting the stack return address, potentially allowing an attacker to take full control of the device; and information leakage by exposing sensitive device memory. Exploitation is easy and requires no authentication, making it highly accessible to attackers. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending a crafted POST request to the /goform/P2pListFilter endpoint with an oversized "page" parameter (e.g., 2048 bytes) and observing if the device crashes or behaves abnormally, indicating a buffer overflow. A sample command using curl to test this could be: curl -X POST http://<target-ip>/goform/P2pListFilter -d "page=$(python3 -c 'print("A"*2048)')" If the device crashes or the management interface becomes inaccessible, it indicates the presence of the vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable /goform/P2pListFilter endpoint, applying input validation and sanitization to ensure the "page" parameter does not exceed 256 bytes, and replacing unsafe functions like sprintf with safer alternatives such as snprintf that enforce buffer size limits. Additionally, applying the principle of least privilege to minimize potential damage, and if possible, updating or replacing the affected firmware or device version to a patched one are recommended. [1, 2]