CVE-2025-14994

moderate-risk

Published 2025-12-21

A flaw has been found in Tenda FH1201 and FH1206 1.2.0.14(408)/1.2.0.8(8155). This impacts the function strcat of the file /goform/webtypelibrary of the component HTTP Request Handler. This manipulation of the argument webSiteId causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used.

Do I need to act?

0.13% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (2)

Fh1201 Firmware

Fh1206 Firmware

Affected Vendors

Tenda

References (7)

Exploit https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_FH1201/webtypl...

Exploit https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_FH1206/webtypl...

Permissions Required https://vuldb.com/?ctiid.337688

Third Party Advisory https://vuldb.com/?id.337688

Third Party Advisory https://vuldb.com/?submit.719153

Third Party Advisory https://vuldb.com/?submit.719155

Product https://www.tenda.com.cn/

/ 100

moderate-risk

Severity 30/34 · Critical

Exploitability 1/34 · Minimal

Exposure 7/34 · Low