CVE-2025-12212 identifies a critical stack-based buffer overflow vulnerability in the Tenda O3 device firmware version 1.0.0.10(2478). The flaw resides in the handling of the upnpEn parameter within the /goform/setNetworkService endpoint, specifically in the SetValue and GetValue functions. By sending a specially crafted request that manipulates this argument, an attacker can overflow the stack buffer, potentially overwriting return addresses or control data. This can lead to arbitrary code execution with elevated privileges on the device. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, increasing its risk profile. The CVSS 4.0 score of 8.7 reflects the high impact on confidentiality, integrity, and availability, combined with low attack complexity and no prerequisites. Although no active exploitation has been reported, a public exploit is available, increasing the likelihood of future attacks. The vulnerability affects a widely deployed consumer and small office/home office (SOHO) networking device, which often serves as a gateway to internal networks, amplifying the potential impact of compromise. The lack of an official patch link suggests that vendors or users must urgently seek firmware updates or apply workarounds to mitigate risk.

For European organizations, exploitation of this vulnerability could lead to full compromise of Tenda O3 devices, resulting in unauthorized access to internal networks, interception or manipulation of network traffic, and potential lateral movement within corporate environments. The buffer overflow could cause device crashes or persistent denial of service, disrupting critical network connectivity. Given the common use of Tenda devices in small and medium enterprises and residential settings, attackers could leverage this vulnerability to establish footholds for espionage, data exfiltration, or launching further attacks. The remote and unauthenticated nature of the exploit increases the risk of widespread attacks, especially in countries with high adoption of Tenda networking equipment. This could impact sectors reliant on stable internet connectivity, including remote workforces, critical infrastructure, and service providers. Additionally, compromised devices could be conscripted into botnets, amplifying threats to broader European network stability.

Organizations should immediately inventory their network to identify Tenda O3 devices running firmware version 1.0.0.10(2478). In the absence of an official patch, users should restrict access to the device management interface by implementing network segmentation and firewall rules to limit exposure to untrusted networks. Disabling UPnP services or the vulnerable /goform/setNetworkService endpoint, if configurable, can reduce attack surface. Monitoring network traffic for anomalous requests targeting this endpoint is advised. Vendors and users should prioritize firmware updates once available and consider replacing vulnerable devices if no timely patch is provided. Employing intrusion detection systems with signatures for this exploit can help detect attempted attacks. Additionally, educating users about the risks of exposing device management interfaces to the internet and enforcing strong network access controls will mitigate exploitation risks.