CVE-2025-12618
Published: 03 November 2025
Summary
CVE-2025-12618 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac8 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 directly remediates the buffer overflow flaw by identifying, patching, and testing firmware updates for the vulnerable /goform/DatabaseIniSet function.
SI-10 prevents the buffer overflow by validating the 'Time' argument in the /goform/DatabaseIniSet endpoint to ensure it does not exceed buffer limits.
SI-16 mitigates buffer overflow exploitation through memory protections like stack guards, ASLR, and non-executable memory in the router firmware.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in Tenda AC8 router's remote web interface (/goform/DatabaseIniSet) enables remote exploitation for initial access or code execution on a public-facing application or remote service.
NVD Description
A vulnerability has been found in Tenda AC8 16.03.34.06. This impacts an unknown function of the file /goform/DatabaseIniSet. The manipulation of the argument Time leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to…
more
the public and may be used.
Deeper analysisAI
CVE-2025-12618 is a buffer overflow vulnerability in Tenda AC8 routers running firmware version 16.03.34.06. The flaw affects an unknown function in the /goform/DatabaseIniSet file, where manipulation of the "Time" argument triggers the overflow. Published on 2025-11-03, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is linked to CWEs 119 and 120.
The vulnerability enables remote exploitation by attackers possessing low privileges, such as authenticated users on the device. Successful attacks can result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution or device takeover.
Advisories and further details are documented on VulDB (https://vuldb.com/?ctiid.330912, https://vuldb.com/?id.330912, https://vuldb.com/?submit.678887) and the Tenda vendor site (https://www.tenda.com.cn/). A proof-of-concept exploit has been publicly disclosed, including at https://pan.baidu.com/s/11fdpTujKw6Xz0yPE2l4cMw.
Details
- CWE(s)