CVE Alert: CVE-2025-9748 – Tenda – CH22
CVE-2025-9748
A vulnerability was determined in Tenda CH22 1.0.0.1. Affected by this issue is the function fromIpsecitem of the file /goform/IPSECsave of the component httpd. Executing manipulation of the argument ipsecno can lead to stack-based buffer overflow. The attack may be performed from remote.
AI Summary Analysis
Risk verdict
High-risk remote code execution possibility in Tenda CH22 httpd, with potential full device compromise; patching should be pursued promptly. Data on KEV or SSVC exploitation status is not provided.
Why this matters
The flaw enables memory corruption via a remote, unauthenticated request, yielding impact to confidentiality, integrity and availability. In practice, an attacker could seize control of the device, exfiltrate data or disrupt network segments, affecting users and any connected fleets.
Most likely attack path
An attacker can trigger a stack-based overflow by sending crafted input to /goform/IPSECsave’s fromIpsecitem, over the network (AV:N, UI:N). Low preconditions (PR:L) but no user interaction are required, permitting automated exploitation from internet-facing instances. Scope is unchanged, but successful exploitation leads to complete device compromise and potential lateral movement to adjacent network resources.
Who is most exposed
Common in consumer and small-business deployments with WAN-accessible management interfaces or exposed HTTPd services; rural or corporate environments using this router model without firmware isolation are at elevated risk.
Detection ideas
- Router crashes or memory-dump signs linked to /goform/IPSECsave requests.
- Logs showing unexpected or oversized ipsecno parameters in HTTP requests.
- Unusual HTTP traffic from external sources targeting the device’s admin interface.
- Repeated failed or crafted payload attempts associated with httpd process.
Mitigation and prioritisation
- Apply official firmware patch and upgrade to a fixed release; verify vendor advisories.
- If patching is delayed, restrict WAN access to the device’s management interface; enable robust inbound firewall rules.
- Disable or limit exposed httpd management services; consider network segmentation for IoT gear.
- Implement monitoring for abnormal httpd crashes and targeted payload patterns.
- If KEV data exists or EPSS ≥ 0.5, treat as priority 1; otherwise classify as high priority and accelerate remediation.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
