CVE Alert: CVE-2025-9443 - Tenda - CH22

CVE-2025-9443

HIGHNo exploitation known

A flaw has been found in Tenda CH22 1.0.0.1. This vulnerability affects the function formeditUserName of the file /goform/editUserName. Executing manipulation of the argument new_account can lead to buffer overflow. It is possible to launch the attack remotely. The exploit has been published and may be used.

CVSS v3.1 (8.8)

Vendor

Tenda

Product

CH22

Versions

1.0.0.1

CWE

CWE-120, Buffer Overflow

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R

Published

2025-08-26T02:32:08.370Z

Updated

2025-08-26T02:32:08.370Z

References

https://vuldb.com/?id.321281
https://vuldb.com/?ctiid.321281
https://vuldb.com/?submit.634271
https://github.com/moweizhang1994/cve/issues/4
https://www.tenda.com.cn/

AI Summary Analysis

Risk verdict

High risk: publicly disclosed exploit enables remote code execution on Tenda CH22; PoC exists, implying active exploitation potential.

Why this matters

The vulnerability yields memory corruption and a buffer overflow via a network-accessible endpoint, with high impact to confidentiality, integrity and availability. If exploited, an attacker could take full control of the device, access or tamper with traffic, and pivot to adjacent devices on the network.

Most likely attack path

Exploitation is network-based and requires no user interaction, but CVSS indicates at least low privileges are required to trigger the issue. An attacker on the same network could send crafted input to /goform/editUserName, trigger code execution, then maintain access or disrupt service on the device. Lateral movement is facilitated by the device’s trust relationships within the local network; remote compromise could enable interception of traffic routing or credentials stored on the box.

Who is most exposed

Devices deployed as consumer or small-business routers with WAN management enabled or exposed to the internet are most at risk; deployments in which routers sit on unsegmented networks or used in remote-access scenarios are particularly vulnerable.

Detection ideas

Unusual or long inputs to /goform/editUserName (new_account parameter).
Crashes or memory corruption events logged by the device’s watchdog or kernel.
Repeated failed or abnormal access attempts to the editUserName endpoint.
Post-exploit indicators: unexpected new processes, privilege changes, or persistence mechanisms.
IOC signatures or network traffic patterns matching public exploit activity.

Mitigation and prioritisation

Apply vendor patch or upgrade to fixed CH22 firmware as a first step.
If patching is not feasible, disable or tightly restrict remote management; limit admin access to trusted networks.
Enforce strong admin authentication, rotate credentials, and review access controls.
Network segmentation: isolate IoT/RoUT devices from high-value assets; monitor inter-VLAN traffic.
Implement IDS/IPS rules or signatures aligned with the public exploit indicators.
If KEV is present or EPSS ≥ 0.5, treat as priority 1.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: ch22, CVE, cve-2025-9443, OSINT, tenda, threatintel