CVE Alert: CVE-2025-12236 - Tenda - CH22

CVE-2025-12236

HIGHNo exploitation known

A vulnerability was determined in Tenda CH22 1.0.0.1. This issue affects the function fromDhcpListClient of the file /goform/DhcpListClient. This manipulation of the argument page causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.

CVSS v3.1 (8.8)

Vendor

Tenda

Product

CH22

Versions

1.0.0.1

CWE

CWE-120, Buffer Overflow

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R

Published

2025-10-27T06:22:47.662Z

Updated

2025-10-27T06:22:47.662Z

References

https://vuldb.com/?id.329906

https://vuldb.com/?ctiid.329906

https://vuldb.com/?submit.673724

https://github.com/QIU-DIE/CVE/issues/17

https://www.tenda.com.cn/

AI Summary Analysis

Risk verdict

High risk of remote code execution due to a buffer overflow in the DHCP list client, with a publicly disclosed exploit and a PoC available for use against exposed devices.

Why this matters

If an attacker realises code execution on an edge device, they can take full control, reconfigure networking, and pivot into adjacent hosts. The combination of remote access, high impact on confidentiality/integrity/availability, and a publicly known exploit makes this a pressing threat for environments with exposed management interfaces or LAN-facing services.

Most likely attack path

No user interaction required; network-based exploitation is possible.
Attacker needs only limited privileges on the target device and crafts a malicious input to the page parameter, triggering the overflow.
Successful exploitation yields memory corruption and device compromise, enabling lateral movement within the protected network where the device acts as a gateway or central control point.

Who is most exposed

Consumer and small business routers with web-based management exposed to the internet or reachable via the LAN are most at risk, especially where WAN management is enabled or access controls are weak.

Detection ideas

Unusual requests to the DHCP list client endpoint with anomalous page parameters.
Repeated crashes or reboots logged on the device; memory corruption symptoms.
Abnormal outbound/inbound traffic patterns around management interfaces.
Core dumps or crash dumps tied to the affected component.
Signature-based IOC alerts or CTI IOAs linked to this vulnerability.

Mitigation and prioritisation

Apply vendor patch to the affected version as soon as available; verify deployment across all affected devices.
If patching is delayed, disable or tightly restrict remote management interfaces; implement strict access controls and network segmentation.
Block or monitor traffic to the vulnerable endpoint from untrusted networks; enforce least-privilege access to management services.
Test fixes in a lab before roll-out; plan a staged, monitored deployment with rollback.
If KEV/EPSS indicators are confirmed later, reclassify as higher priority accordingly.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: ch22, CVE, cve-2025-12236, OSINT, tenda, threatintel