CVE-2025-11117 is a high-severity remote buffer overflow vulnerability found in the Tenda CH22 router, specifically version 1.0.0.1. The flaw exists in the function formWrlExtraGet within the /goform/GstDhcpSetSer endpoint. The vulnerability arises from improper handling of the 'dips' argument, which can be manipulated to cause a buffer overflow condition. This overflow can lead to memory corruption, potentially allowing an attacker to execute arbitrary code remotely without requiring user interaction or prior authentication. The vulnerability has a CVSS 4.0 base score of 8.7, reflecting its critical nature due to the ease of exploitation (network attack vector, low attack complexity, no privileges or user interaction needed) and the high impact on confidentiality, integrity, and availability. Although no public exploits are currently known to be actively used in the wild, the exploit code has been publicly disclosed, increasing the risk of imminent exploitation. The vulnerability affects a specific firmware version (1.0.0.1) of the Tenda CH22 device, which is a consumer-grade router commonly used in home and small office environments. The lack of available patches or mitigations at the time of disclosure further elevates the risk profile.

For European organizations, especially small businesses and home offices relying on Tenda CH22 routers, this vulnerability poses a significant threat. Successful exploitation could allow attackers to gain unauthorized control over the router, leading to interception or manipulation of network traffic, deployment of malware, or pivoting into internal networks. This could compromise sensitive data confidentiality, disrupt network availability, and undermine the integrity of communications. Given the router’s role as a network gateway, exploitation could facilitate broader attacks such as man-in-the-middle, DNS hijacking, or persistent backdoors. The impact is particularly critical for organizations with limited IT security resources that may not promptly detect or mitigate such intrusions. Additionally, the vulnerability’s remote exploitability without authentication means attackers can target devices exposed to the internet, increasing the attack surface. The absence of patches at disclosure time means organizations must rely on interim mitigations, increasing operational risk.

Immediate mitigation steps include isolating affected Tenda CH22 devices from untrusted networks, especially the internet, to reduce exposure. Network segmentation should be employed to limit the router’s access to critical internal resources. Organizations should monitor network traffic for unusual activity indicative of exploitation attempts, such as unexpected connections to the /goform/GstDhcpSetSer endpoint or anomalous DHCP server configurations. Deploying intrusion detection/prevention systems (IDS/IPS) with signatures targeting this vulnerability can help detect exploitation attempts. Users should regularly check Tenda’s official channels for firmware updates addressing this vulnerability and apply patches promptly once available. As a longer-term measure, organizations should consider replacing vulnerable devices with routers from vendors with stronger security track records and timely patch management. Additionally, disabling remote management features on the router, if enabled, can reduce the attack surface. Implementing strict firewall rules to restrict inbound traffic to trusted sources further mitigates risk.