CVE-2025-12272
Published: 27 October 2025
Summary
CVE-2025-12272 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ch22 Firmware. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2025-12272 is a buffer overflow vulnerability in Tenda CH22 firmware version 1.0.0.1. The flaw affects the fromAddressNat function in the /goform/addressNat file, where manipulation of the "page" argument triggers the overflow. Published on 2025-10-27, it is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input).
The vulnerability enables remote exploitation by an attacker possessing low privileges, as indicated by its CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). A successful attack requires network access with low complexity and no user interaction, allowing the attacker to compromise confidentiality, integrity, and availability to a high degree, potentially resulting in remote code execution or system disruption.
VulDB advisories (e.g., ctiid.329944, id.329944) document the issue and recent submission details, while a proof-of-concept exploit is publicly available on GitHub at https://github.com/QIU-DIE/CVE/issues/21. The vendor site https://www.tenda.com.cn/ is referenced, but no specific patch or mitigation guidance is detailed in the provided sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-36165
Vulnerability details
A security flaw has been discovered in Tenda CH22 1.0.0.1. This impacts the function fromAddressNat of the file /goform/addressNat. Performing a manipulation of the argument page results in buffer overflow. The attack may be initiated remotely. The exploit has been…
more
released to the public and may be used for attacks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated buffer overflow in public-facing router web interface (/goform/addressNat) enables remote exploitation of public-facing application (T1190) and application/system denial of service via crash (T1499.004); potential for RCE facilitates device compromise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring timely remediation of the known buffer overflow flaw through firmware patching.
Prevents buffer overflows by enforcing validation of the exploitable 'page' argument in the /goform/addressNat endpoint.
Mitigates remote code execution from buffer overflows via memory protections like ASLR and non-executable stacks.