Skip to main content
CVE Vulnerability Database

CVE-2025-2992: Tenda FH1202 Auth Bypass Vulnerability

CVE-2025-2992 is an authentication bypass vulnerability in Tenda FH1202 Firmware affecting the web management interface. Attackers can exploit improper access controls remotely. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Published:

CVE-2025-2992 Overview

CVE-2025-2992 is an improper access control vulnerability in the Tenda FH1202 router running firmware version 1.2.0.14(408). The flaw resides in the /goform/AdvSetWrlsafeset endpoint of the Web Management Interface. Attackers can reach this endpoint remotely without authentication and manipulate wireless safety settings. The weakness is tracked under [CWE-266: Incorrect Privilege Assignment]. Public disclosure includes a working proof of concept, increasing the likelihood of opportunistic exploitation against exposed devices.

Critical Impact

Remote, unauthenticated attackers can modify wireless configuration parameters on affected Tenda FH1202 routers due to missing access controls on the AdvSetWrlsafeset handler.

Affected Products

  • Tenda FH1202 router hardware
  • Tenda FH1202 firmware version 1.2.0.14(408)
  • Web Management Interface endpoint /goform/AdvSetWrlsafeset

Discovery Timeline

  • 2025-03-31 - CVE-2025-2992 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-2992

Vulnerability Analysis

The Tenda FH1202 exposes administrative form handlers through the /goform/ path in its embedded Web Management Interface. The AdvSetWrlsafeset handler processes wireless safety configuration requests. The handler does not enforce access control checks on incoming requests. Any client with network reachability to the management interface can invoke the endpoint and alter its parameters.

The attack requires no privileges, no user interaction, and no local access. Because the attack vector is network-based, routers with exposed management interfaces on WAN or reachable LAN segments are directly exploitable. The vulnerability is mapped to [CWE-266], indicating that operations reserved for privileged users are accessible to unauthenticated callers.

Root Cause

The firmware handler for AdvSetWrlsafeset lacks authentication and authorization enforcement before processing configuration writes. Session validation logic that should gate administrative form submissions is either missing or bypassed for this specific endpoint. This design flaw enables privilege boundaries to be crossed by direct HTTP requests.

Attack Vector

An attacker sends a crafted HTTP request to /goform/AdvSetWrlsafeset on the router's management interface. No credentials, cookies, or session tokens are required. The handler accepts the request and applies the supplied parameters, modifying wireless-related settings on the device. A public proof of concept is referenced from the Notion Security Advisory and the VulDB entry #302041.

A proof-of-concept repository is published at kOaDT/poc-cve-2025-29927. The published code consists of standard build commands and does not include a device-specific exploitation payload:

bash
npm install
npm run build
npm run start

Source: kOaDT/poc-cve-2025-29927

Detection Methods for CVE-2025-2992

Indicators of Compromise

  • Unexpected HTTP POST or GET requests targeting /goform/AdvSetWrlsafeset from unauthorized source addresses
  • Unauthorized changes to wireless safety or advanced wireless settings on Tenda FH1202 devices
  • Web management interface accessed from WAN-side IP addresses when remote management should be disabled

Detection Strategies

  • Inspect router HTTP access logs for requests to /goform/AdvSetWrlsafeset that lack a preceding authenticated session
  • Correlate configuration change events on the device with authenticated administrator login sessions
  • Monitor for repeated probing of /goform/ endpoints from a single source, indicating enumeration of vulnerable handlers

Monitoring Recommendations

  • Enable syslog forwarding from the router to a central log collector and alert on management interface activity
  • Track baseline wireless configuration and alert on drift from the approved configuration
  • Restrict and log all network flows to the router management interface using upstream firewall rules

How to Mitigate CVE-2025-2992

Immediate Actions Required

  • Disable remote (WAN-side) web management on affected Tenda FH1202 devices
  • Restrict LAN access to the router administration interface to a dedicated management subnet or specific admin hosts
  • Replace the default administrator password with a strong, unique credential to reduce impact of related attacks
  • Inventory all Tenda FH1202 units running firmware 1.2.0.14(408) and prioritize them for remediation

Patch Information

At the time of publication, no vendor advisory or fixed firmware release is listed in the NVD reference set. Check the Tenda Official Website for firmware updates addressing the AdvSetWrlsafeset handler. Until a patch is available, treat affected devices as exposed and apply the network-layer mitigations below.

Workarounds

  • Place the router behind an upstream firewall and block inbound access to TCP ports serving the web management interface
  • Segment the router management VLAN from user, guest, and IoT networks
  • Consider replacing the device with a supported model if the vendor does not release a fix
bash
# Example upstream firewall rule (iptables) blocking WAN access to router HTTP admin
iptables -A FORWARD -d <router_ip> -p tcp --dport 80 -i <wan_iface> -j DROP
iptables -A FORWARD -d <router_ip> -p tcp --dport 443 -i <wan_iface> -j DROP

# Restrict LAN admin access to a single management host
iptables -A FORWARD -d <router_ip> -p tcp --dport 80 ! -s <admin_host> -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.