CVE-2025-12211 is a stack-based buffer overflow vulnerability identified in the Tenda O3 router firmware version 1.0.0.10(2478). The vulnerability resides in the SetValue/GetValue functions within the /goform/setDmzInfo endpoint, which processes the dmzIP parameter. Improper handling of this input allows an attacker to overflow the stack buffer, potentially overwriting critical memory regions. This flaw can be exploited remotely over the network without requiring authentication or user interaction, making it highly accessible to attackers. Successful exploitation could lead to arbitrary code execution with elevated privileges, compromising the device's confidentiality, integrity, and availability. The vulnerability has been assigned a CVSS 4.0 score of 8.7, reflecting its high severity and ease of exploitation. Although no confirmed exploits are currently active in the wild, a public exploit has been released, increasing the risk of imminent attacks. The affected product, Tenda O3, is commonly used in small to medium enterprise and home network environments, often serving as a gateway device. The lack of available patches or vendor advisories at this time exacerbates the threat landscape. Attackers could leverage this vulnerability to gain persistent access, pivot into internal networks, or disrupt network services.

For European organizations, exploitation of CVE-2025-12211 could result in severe operational disruptions and data breaches. Compromise of Tenda O3 devices may allow attackers to intercept or manipulate network traffic, deploy malware, or establish persistent footholds within corporate or critical infrastructure networks. This is particularly concerning for sectors relying on these devices for perimeter security or network segmentation, such as telecommunications, manufacturing, and public services. The remote, unauthenticated nature of the exploit increases the attack surface, enabling threat actors to target exposed devices directly from the internet. Given the public availability of exploit code, rapid exploitation attempts are likely, potentially leading to widespread incidents. The impact extends beyond individual devices, as compromised routers can serve as launch points for lateral movement or distributed denial-of-service (DDoS) attacks, affecting broader network availability and integrity.

European organizations should immediately audit their networks to identify Tenda O3 devices running the vulnerable firmware version 1.0.0.10(2478). Where possible, isolate these devices from direct internet exposure using firewalls or VPNs. Disable the DMZ feature or restrict access to the /goform/setDmzInfo endpoint to trusted management networks only. Implement strict network segmentation to limit the potential spread of compromise. Monitor network traffic for unusual requests targeting the dmzIP parameter or the /goform/setDmzInfo path. Employ intrusion detection/prevention systems (IDS/IPS) with updated signatures to detect exploitation attempts. Engage with Tenda support channels to obtain firmware updates or patches as they become available. As a longer-term strategy, consider replacing vulnerable devices with models that have robust security track records and timely patch support. Additionally, enforce strong network access controls and maintain comprehensive logging to facilitate incident response.