CVE-2025-3236

A vulnerability was found in Tenda FH1202 1.2.0.14(408). It has been declared as critical. This vulnerability affects unknown code of the file /goform/VirSerDMZ of the component Web Management Interface. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

CVSS v3 5.3 MEDIUM
CVSS v2.0 5.0 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://lavender-bicycle-a5a.notion.site/Tenda-FH1202-VirSerDMZ-1bc53a41781f809b9e6cdd60fe4e428c?pvs=4	Exploit Third Party Advisory
https://vuldb.com/?ctiid.303262	Permissions Required VDB Entry
https://vuldb.com/?id.303262	Third Party Advisory VDB Entry
https://vuldb.com/?submit.546367	Third Party Advisory VDB Entry
https://www.tenda.com.cn/	Product

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:tenda:fh1202_firmware:1.2.0.14\(408\):*:*:*:*:*:*:*

cpe:2.3:h:tenda:fh1202:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-04-04 10:15

Updated : 2025-05-28 14:46

NVD link : CVE-2025-3236

Mitre link : CVE-2025-3236

CVE.ORG link : CVE-2025-3236

JSON object : View

Products Affected

tenda

fh1202
fh1202_firmware

CWE

CWE-266

Incorrect Privilege Assignment

CWE-284

Improper Access Control

NVD-CWE-Other

{"id": "CVE-2025-3236", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-04-04T10:15:17.177", "references": [{"url": "https://lavender-bicycle-a5a.notion.site/Tenda-FH1202-VirSerDMZ-1bc53a41781f809b9e6cdd60fe4e428c?pvs=4", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.303262", "tags": ["Permissions Required", "VDB Entry"], "source": "[email protected]"}, {"url": "https://vuldb.com/?id.303262", "tags": ["Third Party Advisory", "VDB Entry"], "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.546367", "tags": ["Third Party Advisory", "VDB Entry"], "source": "[email protected]"}, {"url": "https://www.tenda.com.cn/", "tags": ["Product"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-266"}, {"lang": "en", "value": "CWE-284"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Tenda FH1202 1.2.0.14(408). It has been declared as critical. This vulnerability affects unknown code of the file /goform/VirSerDMZ of the component Web Management Interface. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en Tenda FH1202 1.2.0.14(408). Se ha declarado cr\u00edtica. Esta vulnerabilidad afecta al c\u00f3digo desconocido del archivo /goform/VirSerDMZ del componente Interfaz de Administraci\u00f3n Web. La manipulaci\u00f3n genera controles de acceso inadecuados. El ataque puede iniciarse remotamente. Se ha hecho p\u00fablico el exploit y puede que sea utilizado."}], "lastModified": "2025-05-28T14:46:57.640", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:tenda:fh1202_firmware:1.2.0.14\\(408\\):*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B9FD9D0A-39F4-4AD8-AEE0-71C9E77D2799"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:tenda:fh1202:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "4A632A11-60A0-457C-A039-BED32F83BD52"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "[email protected]"}