CVE-2025-12265
Published: 27 October 2025
Summary
CVE-2025-12265 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ch22 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the buffer overflow in Tenda CH22 firmware by requiring timely remediation through vendor patches for the vulnerable fromVirtualSer function.
Prevents exploitation of the buffer overflow by enforcing validation of the 'page' argument in the /goform/VirtualSer endpoint to avoid buffer overruns.
Mitigates arbitrary code execution from the buffer overflow via memory protection mechanisms such as address space randomization and non-executable memory.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow vulnerability in the unauthenticated web management interface (/goform/VirtualSer) of the Tenda CH22 router enables remote exploitation for arbitrary code execution or denial of service, directly facilitating exploitation of a public-facing application.
NVD Description
A weakness has been identified in Tenda CH22 1.0.0.1. Affected by this issue is the function fromVirtualSer of the file /goform/VirtualSer. This manipulation of the argument page causes buffer overflow. Remote exploitation of the attack is possible. The exploit has…
more
been made available to the public and could be used for attacks.
Deeper analysisAI
CVE-2025-12265 is a buffer overflow vulnerability in Tenda CH22 firmware version 1.0.0.1. The flaw affects the fromVirtualSer function in the /goform/VirtualSer file, where manipulation of the page argument triggers the overflow. Published on 2025-10-27, it is associated with CWE-119 and CWE-120.
The vulnerability enables remote exploitation requiring low privileges (PR:L), network access (AV:N), low attack complexity (AC:L), and no user interaction (UI:N). With a CVSS v3.1 base score of 8.8 (S:U/C:H/I:H/A:H), attackers can achieve high impacts on confidentiality, integrity, and availability, potentially leading to arbitrary code execution.
Advisories reference VulDB entries (ctiid.329936, id.329936, submit.674012) and a GitHub issue at QIU-DIE/CVE/issues/18, where the exploit has been publicly disclosed and could be used for attacks. The Tenda vendor site is listed at www.tenda.com.cn.
The exploit availability heightens the risk for exposed Tenda CH22 devices.
Details
- CWE(s)