Cyber Resilience

CVE-2025-12274

HighPublic PoC

Published: 27 October 2025

Published
27 October 2025
Modified
28 October 2025
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0028 51.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-12274 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ch22 Firmware. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-12274 is a buffer overflow vulnerability affecting Tenda CH22 firmware version 1.0.0.1. The issue resides in the fromP2pListFilter function within the /goform/P2pListFilter file, where manipulation of the "page" argument triggers the overflow. Associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input), it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

An attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) and without requiring user interaction (UI:N). Successful exploitation allows high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) within the unchanged scope (S:U), potentially enabling arbitrary code execution or denial of service on the affected device.

Advisories and details are available via VulDB entries (ctiid.329946, id.329946, submit.674165) and a GitHub issue at QIU-DIE/CVE/issues/23, with the vendor site at tenda.com.cn listed as a reference. The exploit has been publicly disclosed and may be used, though no specific patch or mitigation steps are detailed in the available information.

EU & UK References

Vulnerability details

A security vulnerability has been detected in Tenda CH22 1.0.0.1. Affected by this vulnerability is the function fromP2pListFilter of the file /goform/P2pListFilter. The manipulation of the argument page leads to buffer overflow. Remote exploitation of the attack is possible. The…

more

exploit has been disclosed publicly and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Buffer overflow in web endpoint (/goform/P2pListFilter) enables remote exploitation of public-facing application for arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-12232Same product: Tenda Ch22
CVE-2025-9443Same product: Tenda Ch22
CVE-2025-12265Same product: Tenda Ch22
CVE-2025-9812Same product: Tenda Ch22
CVE-2025-9007Same product: Tenda Ch22
CVE-2025-8180Same product: Tenda Ch22
CVE-2025-9813Same product: Tenda Ch22
CVE-2025-9006Same product: Tenda Ch22
CVE-2025-12234Same product: Tenda Ch22
CVE-2025-12273Same product: Tenda Ch22

Affected Assets

tenda
ch22 firmware
1.0.0.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely remediation of the known buffer overflow flaw in Tenda CH22 firmware via patches or updates.

prevent

Prevents exploitation by enforcing validation and bounds checking on the manipulable 'page' argument in the /goform/P2pListFilter endpoint.

prevent

Mitigates buffer overflow impacts through memory protection mechanisms like stack canaries, ASLR, and DEP, hindering arbitrary code execution.

References