CVE-2025-9297 is a high-severity stack-based buffer overflow vulnerability found in the Tenda i22 router, specifically version 1.0.0.3(4687). The flaw exists in the function formWeixinAuthInfoGet within the /goform/wxportalauth endpoint. By manipulating the 'Type' argument passed to this function, an attacker can trigger a stack-based buffer overflow condition. This vulnerability is remotely exploitable without requiring user interaction or prior authentication, making it particularly dangerous. The overflow can potentially allow an attacker to execute arbitrary code with elevated privileges on the affected device, compromising confidentiality, integrity, and availability. The CVSS 4.0 score is 8.7, reflecting the ease of remote exploitation (AV:N), low attack complexity (AC:L), no privileges or user interaction required (PR:L, UI:N), and high impact on confidentiality, integrity, and availability (VC:H, VI:H, VA:H). Although no known exploits are currently observed in the wild, a public exploit has been released, increasing the risk of active exploitation. The vulnerability affects a specific firmware version of the Tenda i22 router, a device commonly used in small office and home environments for internet connectivity. Given the nature of the flaw, successful exploitation could lead to full device compromise, enabling attackers to intercept or manipulate network traffic, pivot into internal networks, or disrupt network services.

For European organizations, especially small and medium enterprises (SMEs) and residential users relying on Tenda i22 routers, this vulnerability poses a significant risk. Compromise of these routers could lead to interception of sensitive data, unauthorized network access, and disruption of business operations. In sectors with stringent data protection regulations like GDPR, such breaches could result in legal and financial penalties. Additionally, compromised routers could serve as footholds for lateral movement within corporate networks or be leveraged in botnet attacks affecting broader infrastructure. The remote exploitability without authentication increases the threat surface, particularly in environments where these devices are directly exposed to the internet or insufficiently segmented from critical assets.

1. Immediate firmware update: Organizations and users should check for and apply any official patches or firmware updates from Tenda addressing this vulnerability. If no patch is available, consider upgrading to a newer, unaffected device model. 2. Network segmentation: Isolate Tenda i22 routers from critical internal networks to limit potential lateral movement in case of compromise. 3. Disable or restrict remote management interfaces, especially those exposed to the internet, to reduce attack vectors. 4. Implement firewall rules to block unauthorized access to the /goform/wxportalauth endpoint or related management ports. 5. Monitor network traffic for unusual activity indicative of exploitation attempts, such as unexpected outbound connections or anomalous payloads targeting the vulnerable endpoint. 6. Employ intrusion detection/prevention systems (IDS/IPS) with signatures tuned to detect exploitation attempts of CVE-2025-9297. 7. Educate users and administrators about the risks and signs of router compromise to enable prompt incident response.