CVE-2025-12272 is a buffer overflow vulnerability identified in the Tenda CH22 router firmware version 1.0.0.1. The vulnerability resides in the fromAddressNat function within the /goform/addressNat endpoint. Specifically, the flaw is triggered by manipulating the 'page' argument, which leads to a buffer overflow condition. This type of vulnerability occurs when input data exceeds the allocated buffer size, potentially overwriting adjacent memory and enabling arbitrary code execution or system crashes. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, making it highly accessible to attackers. The CVSS v4.0 score of 8.7 reflects the high impact on confidentiality, integrity, and availability, with low attack complexity and no privileges needed. While no confirmed exploits are observed in the wild, a public proof-of-concept exploit has been released, increasing the likelihood of active exploitation. The vulnerability affects only the specific firmware version 1.0.0.1, and no official patches have been linked yet. Attackers exploiting this flaw could gain control over the router, intercept or manipulate network traffic, or disrupt network availability, posing serious risks to organizational networks.

For European organizations, this vulnerability could lead to significant operational disruptions and data breaches. Compromised Tenda CH22 routers could allow attackers to intercept sensitive communications, manipulate network configurations, or launch further attacks within the internal network. Critical infrastructure sectors such as telecommunications, finance, and government agencies using these devices may face heightened risks. The remote and unauthenticated nature of the exploit increases exposure, especially for organizations with internet-facing routers or poorly segmented networks. The potential for denial of service or full device compromise could impact business continuity and regulatory compliance, including GDPR mandates on data protection. Additionally, exploitation could serve as a foothold for lateral movement or persistent threats within European enterprise environments.

Immediate mitigation should focus on isolating affected Tenda CH22 devices from untrusted networks, especially the internet, to reduce exposure. Network segmentation and firewall rules should restrict access to the /goform/addressNat endpoint. Organizations should monitor network traffic for unusual requests targeting the 'page' parameter and implement intrusion detection signatures where possible. Since no official patch is currently available, consider temporary device replacement or firmware rollback if a secure version exists. Vendors and users should prioritize obtaining and applying firmware updates once released. Additionally, conducting regular vulnerability scans and penetration tests can help identify vulnerable devices. Employing network behavior anomaly detection can also assist in early detection of exploitation attempts. Finally, educating IT staff about this specific threat will improve incident response readiness.