The vulnerability identified as CVE-2025-14995 affects the Tenda FH1201 router firmware version 1.2.0.14(408). It is a stack-based buffer overflow caused by improper handling of input in the sprintf function within the /goform/SetIpBind endpoint. Specifically, the vulnerability arises when the 'page' argument is manipulated, allowing an attacker to overflow the stack buffer. This flaw is remotely exploitable without requiring authentication or user interaction, as the vulnerable endpoint is accessible over the network. The CVSS 4.0 base score is 8.7, reflecting high severity due to the ease of exploitation (network attack vector, low attack complexity), no privileges or user interaction required, and the potential for complete compromise of confidentiality, integrity, and availability (high impact on all three). Exploitation could enable arbitrary code execution with elevated privileges on the router, potentially allowing attackers to disrupt network operations, intercept or manipulate traffic, or pivot into internal networks. Although no known exploits are currently observed in the wild, the public disclosure of the vulnerability increases the likelihood of exploit development. The vulnerability affects a widely used consumer and small business router model, which may be deployed in various European organizations, especially in small office/home office (SOHO) environments. The lack of an official patch at the time of disclosure necessitates immediate mitigation efforts to reduce exposure.

For European organizations, this vulnerability poses significant risks, particularly for those relying on Tenda FH1201 routers for network connectivity. Exploitation could lead to full compromise of the affected devices, enabling attackers to intercept sensitive data, disrupt network availability, or use the compromised routers as footholds for further attacks within corporate networks. This is especially critical for sectors such as finance, healthcare, and critical infrastructure where network reliability and data confidentiality are paramount. The remote and unauthenticated nature of the exploit increases the attack surface, potentially allowing widespread scanning and exploitation by threat actors. Additionally, the public disclosure without an immediate patch increases the window of vulnerability. Organizations using these devices in remote or less physically secure locations may face elevated risks due to easier attacker access. The impact extends beyond individual devices, as compromised routers can be leveraged in botnets or for launching distributed denial-of-service (DDoS) attacks, affecting broader network ecosystems.

1. Immediately restrict remote access to the router’s management interfaces, especially the /goform/SetIpBind endpoint, by implementing firewall rules or network segmentation. 2. Monitor network traffic for unusual or malformed requests targeting the vulnerable endpoint to detect potential exploitation attempts. 3. Disable any unnecessary remote management features on the Tenda FH1201 devices to reduce exposure. 4. Regularly check for and apply firmware updates or patches released by Tenda addressing this vulnerability. 5. Where possible, replace vulnerable devices with models from vendors with stronger security track records or that have timely patching processes. 6. Employ network intrusion detection/prevention systems (IDS/IPS) configured to detect buffer overflow attempts or exploit signatures related to this vulnerability. 7. Educate IT staff about the vulnerability and ensure incident response plans include steps for dealing with potential exploitation. 8. For critical environments, consider isolating vulnerable routers from sensitive network segments until patched or replaced.