CVE-2025-12211 is a stack-based buffer overflow vulnerability identified in Tenda O3 firmware version 1.0.0.10(2478). The vulnerability resides in the /goform/setDmzInfo endpoint, specifically within the SetValue and GetValue functions that handle the dmzIP parameter. Improper validation or sanitization of this input allows an attacker to overflow the stack buffer, leading to memory corruption. This flaw can be triggered remotely over the network without requiring authentication or user interaction, making it highly exploitable. Successful exploitation could enable an attacker to execute arbitrary code on the device with elevated privileges, potentially leading to full device compromise. The CVSS 4.0 score of 8.7 reflects the vulnerability's critical impact on confidentiality, integrity, and availability, combined with its low attack complexity and no requirement for privileges or user interaction. Although no confirmed exploitation in the wild has been reported, a public exploit has been released, increasing the risk of imminent attacks. The vulnerability affects a widely deployed consumer and small business networking device, which often serves as a gateway to internal networks, amplifying the potential damage. The lack of available patches at the time of disclosure means that organizations must rely on network-level mitigations and monitoring until firmware updates are released.

For European organizations, exploitation of CVE-2025-12211 could result in unauthorized remote code execution on Tenda O3 devices, leading to full compromise of the affected routers. This can cause severe disruptions in network availability, interception or manipulation of sensitive data traversing the device, and potential lateral movement into internal networks. Critical infrastructure, small and medium enterprises, and home office environments using these devices are particularly vulnerable. The compromise of network gateways can undermine confidentiality and integrity of communications, facilitate persistent access for attackers, and enable further attacks such as data exfiltration or ransomware deployment. The remote, unauthenticated nature of the exploit increases the risk of widespread automated attacks targeting vulnerable devices across Europe. Additionally, the public availability of exploit code lowers the barrier for threat actors to weaponize this vulnerability rapidly.

1. Immediately identify and inventory all Tenda O3 devices running firmware version 1.0.0.10(2478) within the network. 2. Monitor Tenda’s official channels for firmware updates addressing CVE-2025-12211 and apply patches as soon as they become available. 3. Until patches are released, implement network-level protections such as firewall rules or intrusion prevention system (IPS) signatures to block or alert on traffic targeting the /goform/setDmzInfo endpoint or suspicious dmzIP parameter manipulations. 4. Restrict remote management access to Tenda O3 devices by limiting access to trusted IP addresses and disabling remote administration if not required. 5. Conduct regular network traffic analysis to detect anomalous requests or exploitation attempts against the vulnerable endpoint. 6. Educate IT staff about the vulnerability and ensure incident response plans include steps for handling potential exploitation. 7. Consider segmenting networks to isolate vulnerable devices from critical assets to reduce potential impact. 8. Engage with vendors or third-party security providers for advanced detection and mitigation support if necessary.