CVE-2025-14994

HighPublic PoC

Published: 21 December 2025

Published

21 December 2025

Modified

31 December 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0016 36.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14994 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Fh1201 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 requires validation of the webSiteId input argument to prevent stack-based buffer overflows from improper strcat usage in the HTTP request handler.

SI-16 Memory Protection good match

prevent

SI-16 enforces memory protections like stack canaries, ASLR, and DEP to mitigate exploitation of the stack-based buffer overflow vulnerability.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely flaw remediation through firmware patching to address the specific buffer overflow in Tenda FH1201/FH1206 routers.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

Remote stack-based buffer overflow in router HTTP handler (/goform/webtypelibrary) enables exploitation of public-facing web applications and remote services for potential RCE.

NVD Description

A flaw has been found in Tenda FH1201 and FH1206 1.2.0.14(408)/1.2.0.8(8155). This impacts the function strcat of the file /goform/webtypelibrary of the component HTTP Request Handler. This manipulation of the argument webSiteId causes stack-based buffer overflow. The attack is possible…

to be carried out remotely. The exploit has been published and may be used.

Deeper analysisAI

CVE-2025-14994 is a stack-based buffer overflow vulnerability in the strcat function within the /goform/webtypelibrary endpoint of the HTTP Request Handler component. It affects Tenda FH1201 and FH1206 routers running firmware versions 1.2.0.14(408) and 1.2.0.8(8155). The issue stems from improper manipulation of the webSiteId argument, as documented with associated CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow). The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

The vulnerability can be exploited remotely by an attacker with low privileges (PR:L), such as an authenticated user on the network. Exploitation involves sending a crafted HTTP request to the vulnerable endpoint, triggering the buffer overflow. Successful exploitation grants high-impact confidentiality, integrity, and availability consequences, potentially allowing arbitrary code execution, data theft, or denial of service on the affected router.

References include proof-of-concept exploits published on GitHub for both Tenda FH1201 and FH1206 models, detailing the buffer overflow in the webtypelibrary function. VulDB entries document the issue but do not specify patches or vendor mitigations in the provided information. The public availability of exploits increases the risk of real-world attacks.

Details

CWE(s): CWE-119 CWE-121

Affected Products

tenda

fh1201 firmware

1.2.0.14\(408\)

tenda

fh1206 firmware

1.2.0.8\(8155\)

CVEs Like This One

CVE-2025-7548Same product: Tenda Fh1201

CVE-2025-7550Same product: Tenda Fh1201

CVE-2025-7549Same product: Tenda Fh1201

CVE-2025-14995Same product: Tenda Fh1201

CVE-2025-7551Same product: Tenda Fh1201

CVE-2026-5046Same product: Tenda Fh1201

CVE-2026-5045Same product: Tenda Fh1201

CVE-2025-7416Same vendor: Tenda

CVE-2025-8131Same vendor: Tenda

CVE-2025-7855Same vendor: Tenda

References

https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_FH1201/webtyplibrary/webtypelibrary.md
Exploit, Third Party Advisory · cna@vuldb.com
https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_FH1206/webtyplibrary/webtypelibrary.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.337688
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.337688
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.719153
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.719155
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com