CVE-2025-13400
Published: 19 November 2025
Summary
CVE-2025-13400 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ch22 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 39.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the buffer overflow flaw in formWrlExtraGet by applying vendor firmware patches to eliminate the vulnerability.
Enforces validation of the chkHz argument in the /goform/WrlExtraGet endpoint to prevent buffer overflows from manipulated inputs.
Provides memory protections like address space layout randomization and stack guards to block exploitation of the buffer overflow for arbitrary code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated buffer overflow in the router's public-facing web endpoint (/goform/WrlExtraGet) enables remote code execution via exploitation of a public-facing application (T1190) and denial of service through application crash or memory corruption (T1499.004).
NVD Description
A vulnerability was detected in Tenda CH22 1.0.0.1. Affected is the function formWrlExtraGet of the file /goform/WrlExtraGet. Performing a manipulation of the argument chkHz results in buffer overflow. Remote exploitation of the attack is possible. The exploit is now public…
more
and may be used.
Deeper analysisAI
CVE-2025-13400 is a buffer overflow vulnerability (CWE-119, CWE-120) affecting Tenda CH22 router firmware version 1.0.0.1. The flaw resides in the formWrlExtraGet function within the /goform/WrlExtraGet endpoint, where manipulation of the chkHz argument triggers the overflow. Published on 2025-11-19, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), marking it as high severity.
Attackers with low privileges (PR:L) can exploit this remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing arbitrary code execution on the affected device.
Advisories from VULDB (https://vuldb.com/?ctiid.332926, https://vuldb.com/?id.332926, https://vuldb.com/?submit.692145) and the vendor site (https://www.tenda.com.cn/) provide further details, including a related GitHub issue with a public exploit (https://github.com/f000x0/cve/issues/14).
The exploit is now public and may be used, heightening the risk of real-world attacks against unpatched Tenda CH22 devices.
Details
- CWE(s)