EUVD-2025-21204
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
A vulnerability was found in Tenda FH1201 1.2.0.14. It has been declared as critical. This vulnerability affects the function formWrlsafeset of the file /goform/AdvSetWrlsafeset of the component HTTP POST Request Handler. The manipulation of the argument mit_ssid leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Analysis
A critical buffer overflow vulnerability exists in Tenda FH1201 wireless router firmware version 1.2.0.14, located in the HTTP POST handler for wireless safety settings. An authenticated attacker can remotely exploit this vulnerability by sending a crafted request with an oversized 'mit_ssid' parameter to the /goform/AdvSetWrlsafeset endpoint, achieving remote code execution with complete system compromise (confidentiality, integrity, and availability). A public proof-of-concept exploit is available, and this vulnerability meets CISA KEV criteria for active exploitation in the wild.
Technical Context
This vulnerability affects Tenda FH1201 (CPE: cpe:2.3:o:tendacn:fh1201_firmware:1.2.0.14:*:*:*:*:*:*:*) and involves the HTTP POST request handler component responsible for parsing wireless configuration parameters. The root cause is CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), a classic buffer overflow flaw where the 'mit_ssid' parameter is copied into a fixed-size stack or heap buffer without proper length validation. The vulnerable function 'formWrlsafeset' fails to implement bounds checking on user-supplied input, allowing an attacker to overflow adjacent memory structures. This is a stack-based buffer overflow (most probable given the context) that can overwrite return addresses or function pointers, enabling arbitrary code execution with the privileges of the HTTP daemon process (typically running as root on embedded systems).
Affected Products
Tenda FH1201 wireless router firmware version 1.2.0.14 (CPE: cpe:2.3:o:tendacn:fh1201_firmware:1.2.0.14:*:*:*:*:*:*:*). Potentially affected hardware: Tenda FH1201 (CPE: cpe:2.3:h:tendacn:fh1201:*:*:*:*:*:*:*:*). Earlier firmware versions may be vulnerable; later versions (>1.2.0.14) should be verified for patching. Regional variants (FH1201 is sold globally) may have different firmware versions. Vendor advisory from Tenda should be consulted for complete affected version list; no specific patch version reference is provided in the CVE description.
Remediation
Immediate actions: (1) If patched firmware is available from Tenda, upgrade FH1201 to the latest stable version beyond 1.2.0.14—contact Tenda support or visit their support portal for firmware downloads. (2) As a temporary workaround, restrict access to the /goform/AdvSetWrlsafeset endpoint via firewall rules if remote management is not required (disable HTTP/HTTPS WAN access). (3) Change default/weak administrative credentials immediately if not already done. (4) Monitor router logs for HTTP POST requests to /goform/AdvSetWrlsafeset with unusual 'mit_ssid' parameters (may indicate exploitation attempts). (5) Consider network segmentation to isolate IoT/router devices. Long-term: replace FH1201 with models receiving active vendor security support, or subscribe to Tenda's security advisories for patched firmware releases.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today