A high-severity vulnerability has been discovered in Tenda FH1201 and FH1206 wireless routers, identified as CVE-2025-14994. This flaw allows a remote, unauthenticated attacker to execute arbitrary code and gain complete control over the affected devices. Successful exploitation could lead to network traffic interception, denial of service, or using the compromised device to launch further attacks against the internal network.

The vulnerability is a stack-based buffer overflow within the web management interface of the affected routers. An unauthenticated attacker can exploit this flaw by sending a specially crafted POST request containing an overly long string to a specific function in the device's web server. This action overwrites the stack, allowing the attacker to execute arbitrary code with root-level privileges on the underlying operating system.

This vulnerability presents a significant risk to the organization, categorized as a High severity with a CVSS score of 8.8. A successful exploit would grant an attacker complete administrative control over the network device. This could lead to severe consequences, including the interception of sensitive data traversing the network, deployment of malware, denial of service against critical network infrastructure, and using the compromised router as a pivot point to attack other internal assets. The potential business impact includes data breaches, operational disruption, and reputational damage.

Immediate Action: The primary remediation is to apply the security updates provided by the vendor immediately. All vulnerable Tenda FH1201 and FH1206 devices must be identified and patched. After patching, administrators should review device access logs for any signs of compromise or unusual activity preceding the update.

Proactive Monitoring: Monitor network traffic for anomalous POST requests directed at the routers' web management interface. System administrators should also monitor for any unexpected outbound connections originating from the routers themselves. Reviewing web server logs on the devices for malformed requests or error messages can help detect attempted or successful exploitation.

Compensating Controls: If immediate patching is not feasible, access to the device's web management interface should be strictly limited. Ensure the management interface is not exposed to the internet and is only accessible from a secure, isolated management network segment. Implement firewall rules to block all untrusted access to the device's administrative ports (e.g., TCP 80, 443).

Public Exploit Available: true

Given the high CVSS score of 8.8, the remote and unauthenticated nature of the exploit, and the public availability of PoC code, this vulnerability requires immediate attention. Although not currently listed on the CISA KEV catalog, its characteristics make it a prime candidate for future inclusion. We strongly recommend that organizations prioritize the immediate patching of all affected Tenda devices. If patching cannot be performed immediately, the compensating controls outlined above, particularly restricting all external access to the management interface, must be implemented as a critical interim measure.