HIGH 8.8

CVE-2026-10188: Tenda W12 Stack Overflow Remote Code Execution

A stack-based buffer overflow vulnerability exists in Tenda W12 firmware version 3.0.0.7(4763). An authenticated remote attacker can exploit this flaw by manipulating the staMac parameter passed to the cgistaKickOff function in the HTTP daemon (/bin/httpd), potentially executing arbitrary code with elevated privileges. Public exploit code is available, elevating the practical risk of this vulnerability.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-119, CWE-121
Affected products
0 configuration(s)
Published / Modified
2026-05-31 / 2026-06-17

NVD description (verbatim)

A flaw has been found in Tenda W12 3.0.0.7(4763). This affects the function cgistaKickOff of the file /bin/httpd. Executing a manipulation of the argument staMac can lead to stack-based buffer overflow. The attack may be performed from remote. The exploit has been published and may be used.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10188 is a stack-based buffer overflow (CWE-119, CWE-121) in Tenda W12 firmware. The vulnerability resides in the cgistaKickOff function of /bin/httpd, where insufficient bounds checking on the staMac argument allows an authenticated attacker to write beyond allocated buffer boundaries. The attack vector is network-based, requires valid credentials, and does not require user interaction. The CVSS v3.1 score of 8.8 (HIGH) reflects the combination of remote exploitability and high impact on confidentiality, integrity, and availability.

Business impact

Exploitation could allow an authenticated attacker to compromise the integrity and confidentiality of network traffic managed by the Tenda W12 router, as well as disrupt service availability. In enterprise or critical network environments where this device serves as a gateway or access point, such a compromise could enable lateral movement, data exfiltration, or persistent presence. The public availability of exploit code substantially increases the likelihood of opportunistic attacks.

Affected systems

Tenda W12 firmware version 3.0.0.7(4763) is confirmed vulnerable. Organizations using this wireless router model in network infrastructure should verify their current firmware versions. Note: Tenda has not been confirmed to have released patched firmware; verify the vendor's official advisory for remediation guidance and any firmware updates addressing this issue.

Exploitability

This vulnerability requires authentication, which moderates but does not eliminate the threat in networks where default or weak credentials are common. The availability of public exploit code, combined with the straightforward attack surface (HTTP daemon parameter manipulation), means skilled attackers can weaponize this quickly. Network-based exploitability removes the need for physical access or user-triggered actions, making it attractive for targeted intrusions.

Remediation

Immediate action: consult Tenda's official security advisories and support channels for patched firmware versions. If patches are unavailable, implement network-level mitigations: restrict administrative access to the Tenda W12 via firewall rules, change default credentials to strong unique passwords, and consider network segmentation to limit exposure of management interfaces. Monitor for suspicious HTTP requests to /bin/httpd targeting the cgistaKickOff function.

Patch guidance

Verify the latest firmware available from Tenda's official support portal or security advisories. Apply any released firmware updates immediately upon availability. Test patches in a non-production environment first. If patches are not yet available, prioritize compensating controls (access restrictions, credential hardening) until an official fix is released. Track Tenda's CVE response page and firmware release notes for updates.

Detection guidance

Monitor HTTP access logs on affected Tenda W12 devices for POST/GET requests to cgistaKickOff or /bin/httpd with unusually long or malformed staMac parameter values. Set alerts for authentication events followed by unusual process execution or memory access patterns. Use network-based intrusion detection signatures targeting stack overflow patterns in HTTP requests to Tenda devices. Endpoint detection and response (EDR) tools on connected systems may also flag exploitation attempts.

Why prioritize this

HIGH priority due to: (1) high CVSS score (8.8) reflecting complete compromise potential, (2) public exploit code availability dramatically lowering the barrier to attack, (3) remote exploitability over HTTP, and (4) the critical role Tenda W12 routers often play in network access. Organizations should patch or implement compensating controls within 30 days. Authenticated requirement is a mitigating factor but not sufficient given default credential risks.

Risk score, explained

The CVSS v3.1 score of 8.8 reflects a network-adjacent attack vector, low attack complexity, and requirement for low-level privileges (authentication). The impact is high across all three dimensions: confidentiality (full information disclosure), integrity (unauthorized modification), and availability (service interruption). The public disclosure and availability of exploit code further justify treating this as a near-critical risk requiring rapid response.

Frequently asked questions

Can this vulnerability be exploited without authentication?

No. The CVSS vector specifies PR:L (low privilege required), meaning an attacker must authenticate to the Tenda W12's HTTP interface first. However, many Tenda devices ship with default credentials (admin/admin or similar), which are often not changed, significantly reducing this protection in practice.

What does the staMac parameter do, and why is it vulnerable?

The staMac parameter is intended to identify a wireless station (client) by its MAC address for device management functions. The cgistaKickOff function processes this input but fails to validate its length before copying it into a fixed-size stack buffer, enabling a classic stack overflow. Oversized input overwrites adjacent stack memory, potentially corrupting the return address and allowing code execution.

Is there a temporary workaround if I cannot patch immediately?

Restrict access to the Tenda W12's web management interface via firewall rules—only allow administrative access from specific trusted IPs. Change all default credentials to strong, unique passwords. Disable remote management if not required. These measures reduce exposure while you await a patched firmware release.

How does this compare in severity to other router vulnerabilities?

The 8.8 CVSS score places this in the high-severity category. Combined with public exploit code and remote exploitability, it ranks among the more dangerous router vulnerabilities. Similar flaws have historically been exploited for botnet recruitment, lateral network access, and data interception, making it a priority for patching.

This analysis is based on publicly available CVE data and vendor information current as of the publication date. SEC.co does not confirm the existence of patches or their completeness; organizations must verify against Tenda's official security advisories and release notes. No exploit code or weaponization details are provided. This document is for informational purposes and does not constitute professional security advice; consult with your security team or a qualified cybersecurity provider for remediation decisions specific to your environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).