CVE-2025-13400 Overview
CVE-2025-13400 is a buffer overflow vulnerability affecting Tenda CH22 routers running firmware version 1.0.0.1. The flaw resides in the formWrlExtraGet function within the /goform/WrlExtraGet endpoint. Manipulation of the chkHz argument triggers a memory corruption condition that attackers can exploit remotely over the network. Public exploit details are available, increasing the likelihood of opportunistic attacks against exposed devices. The vulnerability is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer) and [CWE-120] (Classic Buffer Overflow).
Critical Impact
Remote attackers can trigger a buffer overflow in the Tenda CH22 web management interface, potentially leading to arbitrary code execution or denial of service on the affected router.
Affected Products
- Tenda CH22 hardware device
- Tenda CH22 firmware version 1.0.0.1
- Devices exposing the /goform/WrlExtraGet endpoint to untrusted networks
Discovery Timeline
- 2025-11-19 - CVE-2025-13400 published to NVD
- 2026-02-24 - Last updated in NVD database
Technical Details for CVE-2025-13400
Vulnerability Analysis
The vulnerability exists in the formWrlExtraGet handler that processes HTTP requests sent to /goform/WrlExtraGet on the Tenda CH22 router web interface. The handler reads the chkHz parameter from incoming requests without enforcing proper length validation before copying it into a fixed-size stack buffer. When an attacker submits an oversized value, the copy operation writes beyond the buffer boundary and corrupts adjacent stack memory.
Successful exploitation can overwrite saved return addresses or function pointers on the stack. This may allow an attacker to redirect execution flow, crash the device, or run arbitrary code with the privileges of the web server process, which typically runs as root on embedded routers. The EPSS score of 0.391% indicates moderate predicted exploitation activity, and public exploit information is already circulating.
Root Cause
The root cause is missing bounds checking on user-supplied input. The formWrlExtraGet function trusts the length of the chkHz HTTP parameter and copies it directly into a stack-allocated buffer of fixed size. Embedded router firmware frequently uses unsafe string functions such as strcpy or sprintf without validating attacker-controlled input length, which is the underlying pattern behind [CWE-120].
Attack Vector
The attack vector is network-based and requires low privileges. An attacker who can reach the router's HTTP management interface, whether on the LAN or through an internet-exposed management port, can send a crafted HTTP request to /goform/WrlExtraGet containing an oversized chkHz parameter. No user interaction is required to trigger the overflow.
The vulnerability manifests in the request handler for /goform/WrlExtraGet. Refer to the GitHub CVE Issue Discussion and VulDB entry #332926 for technical analysis of the affected code path.
Detection Methods for CVE-2025-13400
Indicators of Compromise
- HTTP POST or GET requests to /goform/WrlExtraGet containing unusually long values in the chkHz parameter
- Unexpected reboots, crashes, or service interruptions on Tenda CH22 routers
- Outbound connections from the router to unfamiliar external hosts following management interface activity
- New or modified firmware configuration entries that were not initiated by an administrator
Detection Strategies
- Inspect web access logs from the router or upstream proxies for requests targeting /goform/WrlExtraGet with parameter lengths exceeding typical values
- Deploy network intrusion detection signatures that flag oversized chkHz parameters in HTTP traffic destined for router management interfaces
- Correlate router crash events with preceding HTTP requests to identify exploitation attempts
Monitoring Recommendations
- Monitor inbound traffic to router management ports (typically TCP 80 and 443) from untrusted networks and alert on anomalies
- Track firmware version inventory across all Tenda devices and flag any CH22 units running version 1.0.0.1
- Log and review administrative actions performed against the router management interface
How to Mitigate CVE-2025-13400
Immediate Actions Required
- Restrict access to the Tenda CH22 web management interface to trusted internal hosts only and disable any remote management feature
- Place vulnerable CH22 devices behind a firewall and block external access to TCP ports 80 and 443 on the router
- Audit network logs for prior requests to /goform/WrlExtraGet to identify potential exploitation attempts
- Replace the device if the vendor does not provide a security patch, particularly for internet-facing deployments
Patch Information
At the time of publication, no official vendor patch has been linked in the NVD entry. Administrators should consult the Tenda Official Website for firmware updates and security advisories. Until a fix is published, network-level mitigations are the primary defense.
Workarounds
- Disable remote (WAN-side) administration on the router so the vulnerable endpoint is not reachable from the internet
- Segment the router management network from general user networks using VLANs or firewall rules
- Change default administrative credentials and enforce strong passwords to limit the value of low-privilege access required by the attack vector
# Example firewall rule to block external access to router HTTP management
# (adjust interface names and router IP to your environment)
iptables -A INPUT -i wan0 -p tcp --dport 80 -j DROP
iptables -A INPUT -i wan0 -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
