CVE-2025-9006 is a high-severity buffer overflow vulnerability identified in the Tenda CH22 router firmware version 1.0.0.1. The vulnerability exists in the function formdelFileName within the /goform/delFileName endpoint. This function improperly handles input, allowing an attacker to craft a specially manipulated request that triggers a buffer overflow condition. Because the vulnerability is remotely exploitable without requiring user interaction or authentication, an attacker can send malicious requests over the network to the affected device. The buffer overflow could potentially allow an attacker to execute arbitrary code, cause a denial of service by crashing the device, or escalate privileges. The CVSS 4.0 base score of 8.7 reflects the high impact on confidentiality, integrity, and availability, combined with the ease of exploitation (network attack vector, no privileges or user interaction required). Although no public exploits are currently known to be actively used in the wild, the exploit code has been disclosed publicly, increasing the risk of imminent exploitation. The vulnerability affects a specific firmware version (1.0.0.1) of the Tenda CH22, a consumer-grade router device. The lack of available patches at the time of publication means that affected users remain vulnerable until a vendor fix is released and applied.

For European organizations, this vulnerability poses a significant risk, especially for small and medium enterprises or home office environments that rely on Tenda CH22 routers for network connectivity. Successful exploitation could lead to unauthorized remote code execution, enabling attackers to gain control over the router. This could result in interception or manipulation of network traffic, disruption of internet access, or pivoting into internal networks to compromise additional systems. The confidentiality of sensitive data transmitted through the network could be compromised, and the integrity and availability of network services could be severely impacted. Given the router’s role as a network gateway, exploitation could facilitate broader attacks such as man-in-the-middle, malware distribution, or persistent network presence. The risk is compounded by the fact that the vulnerability requires no authentication and no user interaction, making automated scanning and exploitation feasible. Organizations with limited IT security resources may be particularly vulnerable to exploitation and subsequent operational disruption.

To mitigate this vulnerability, European organizations using Tenda CH22 routers should immediately identify devices running firmware version 1.0.0.1. Until an official patch is released, organizations should consider the following specific actions: 1) Restrict remote access to the router’s management interface by disabling WAN-side administration or limiting access to trusted IP addresses via firewall rules. 2) Implement network segmentation to isolate vulnerable routers from critical internal systems, reducing the potential impact of compromise. 3) Monitor network traffic for unusual activity or signs of exploitation attempts targeting the /goform/delFileName endpoint. 4) If possible, replace affected devices with alternative hardware that does not have this vulnerability. 5) Engage with Tenda support channels to obtain information on forthcoming patches and apply updates promptly once available. 6) Educate IT staff about this vulnerability to ensure rapid detection and response to potential exploitation attempts. 7) Employ intrusion detection/prevention systems (IDS/IPS) with signatures targeting this specific exploit once available.