CVE-2025-6111: Tenda FH1205 Buffer Overflow Vulnerability

CVE-2025-6111 Overview

CVE-2025-6111 is a stack-based buffer overflow in the Tenda FH1205 router running firmware version 2.0.0.7(775). The flaw resides in the fromVirtualSer function handling requests to /goform/VirtualSer. Attackers can trigger the overflow by manipulating the page argument in HTTP requests sent to the device. The vulnerability is remotely exploitable and the exploit details have been publicly disclosed. The issue maps to [CWE-119] improper restriction of operations within memory bounds and [CWE-787] out-of-bounds write.

Critical Impact
Remote attackers can corrupt stack memory on affected Tenda FH1205 routers, leading to denial of service or arbitrary code execution on the device.

Affected Products

Tenda FH1205 router (hardware)
Tenda FH1205 firmware version 2.0.0.7(775)
Deployments exposing the web management interface (/goform/VirtualSer)

Discovery Timeline

2025-06-16 - CVE-2025-6111 published to NVD
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-6111

Vulnerability Analysis

The Tenda FH1205 web management interface exposes the /goform/VirtualSer endpoint, which is handled by the fromVirtualSer function in the device's HTTP server. The function processes user-controlled HTTP parameters, including the page argument, and writes the supplied data into a fixed-size stack buffer without validating the input length. Sending an oversized page value causes data to overflow the buffer and overwrite adjacent stack memory, including the saved return address.

Once the return address is overwritten, the device's program counter can be redirected to attacker-controlled memory. On MIPS-based SOHO routers like the FH1205, this typically enables arbitrary command execution as the root user that runs the web server. Successful exploitation grants control over routing, DNS, and traffic interception capabilities on the affected network.

Root Cause

The root cause is missing length validation on user-supplied input before it is copied into a stack-allocated buffer in fromVirtualSer. The function relies on unsafe string handling routines that do not enforce the destination buffer size.

Attack Vector

An attacker with network access to the router's HTTP management interface and low-privileged authentication can craft a request to /goform/VirtualSer with an oversized page parameter. Because the management interface is often reachable from the LAN and sometimes exposed to the WAN, the attack surface includes both internal threat actors and remote adversaries when remote administration is enabled.

No verified proof-of-concept code is published in the enriched data. Technical write-up details are available in the Notion Security Document and VulDB entry #312580.

Detection Methods for CVE-2025-6111

Indicators of Compromise

HTTP POST or GET requests to /goform/VirtualSer containing unusually long page parameter values.
Unexpected reboots, crash logs, or watchdog resets on FH1205 devices following inbound HTTP traffic.
New or modified firewall, DNS, or port-forwarding rules appearing on the router without administrative action.
Outbound connections from the router itself to unknown hosts, indicating implanted code.

Detection Strategies

Inspect web access logs on the router and any upstream reverse proxy for requests to /goform/VirtualSer with parameter lengths above expected bounds.
Deploy network intrusion detection signatures that flag oversized query strings or POST bodies targeting Tenda /goform/ endpoints.
Baseline normal management traffic and alert on management-interface requests originating from non-administrator hosts or external IP ranges.

Monitoring Recommendations

Forward router syslog and HTTP request logs to a central SIEM for correlation against known Tenda exploitation patterns.
Monitor DHCP and ARP tables for unauthorized devices on networks fronted by FH1205 routers.
Alert on configuration drift such as unexpected DNS server changes, new virtual server entries, or remote management toggles.

How to Mitigate CVE-2025-6111

Immediate Actions Required

Restrict access to the router's web management interface to trusted internal hosts only and disable WAN-side administration.
Place affected FH1205 devices behind a network segment that filters inbound HTTP requests to /goform/VirtualSer.
Rotate administrative credentials, since the attack vector requires only low-privileged authentication.
Plan replacement of the device if no vendor firmware update is available, particularly for environments handling sensitive traffic.

Patch Information

At the time of publication, no fixed firmware version is referenced in the enriched data for CVE-2025-6111. Consult the Tenda Official Website for the latest FH1205 firmware releases and security bulletins.

Workarounds

Disable remote web management and limit the LAN management interface to a dedicated administrative VLAN.
Block external access to TCP ports used by the router's HTTP server using an upstream firewall.
Use an inline web application firewall or IPS to drop requests to /goform/VirtualSer containing oversized parameters.
Where feasible, replace the FH1205 with a currently supported device that receives security updates.

bash

# Example upstream firewall rule blocking external access to the router management UI
# Replace ROUTER_IP and WAN_IF with values appropriate for your environment
iptables -A FORWARD -i WAN_IF -p tcp -d ROUTER_IP --dport 80 -j DROP
iptables -A FORWARD -i WAN_IF -p tcp -d ROUTER_IP --dport 443 -j DROP