CVE-2026-10189: Tenda W12 Stack Overflow RCE – Patch Guidance
A stack-based buffer overflow vulnerability exists in Tenda W12 firmware version 3.0.0.7(4763). The flaw is in the web server's time configuration function, which fails to properly validate user input in the 'sec' parameter. An authenticated attacker can exploit this over the network to crash the device or execute arbitrary code with the privileges of the web server process. Public exploit code is available, increasing practical risk.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-119, CWE-121
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-31 / 2026-06-17
NVD description (verbatim)
A vulnerability has been found in Tenda W12 3.0.0.7(4763). This vulnerability affects the function cgiSysTimeInfoSet of the file /bin/httpd. The manipulation of the argument sec leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in the cgiSysTimeInfoSet function within /bin/httpd on Tenda W12 3.0.0.7(4763). Insufficient bounds checking on the 'sec' argument permits a stack-based buffer overflow (CWE-119, CWE-121). An attacker with valid credentials can craft a malicious HTTP request to overflow the stack and potentially achieve remote code execution. The attack requires network access and valid authentication but no user interaction.
Business impact
Compromise of a Tenda W12 access point could grant an attacker persistent network presence, enable lateral movement into connected systems, or facilitate man-in-the-middle attacks. For organizations relying on these devices as network edge or branch office infrastructure, successful exploitation could disrupt connectivity, compromise data confidentiality, and enable further intrusion. The availability of public exploits significantly shortens the window before opportunistic attacks occur.
Affected systems
Tenda W12 firmware version 3.0.0.7(4763) is confirmed affected. Organizations should inventory deployments of this specific firmware build. Verify whether other W12 firmware versions or related Tenda products contain the same code path; check Tenda's advisory for the full list of affected versions and device models.
Exploitability
The vulnerability is exploitable remotely by any user with valid authentication credentials. No special tools are required beyond HTTP manipulation. Publicly disclosed exploit code is available, removing the barrier to weaponization. Attack complexity is low; the overflow is triggered by a simple parameter manipulation. However, the requirement for prior authentication limits exposure to insider threats or compromised user accounts rather than unauthenticated internet-wide scanning.
Remediation
Contact Tenda for a firmware update addressing this vulnerability. Immediately apply patches when available. As interim mitigation, restrict access to the web management interface to trusted administrative networks via firewall rules or network segmentation. Disable remote management features if not required. Monitor device logs for failed or successful authentication attempts followed by anomalous HTTP requests to the affected endpoint.
Patch guidance
Check Tenda's support website and security advisories for patched firmware versions. Verify the firmware release notes explicitly address CVE-2026-10189. Follow Tenda's documented firmware upgrade procedure carefully to avoid bricking the device. Test patches in a non-production environment first. Establish a firmware rollback plan in case the update causes network instability. Set a deadline for deployment across your asset inventory.
Detection guidance
Monitor HTTP traffic to /bin/httpd for requests to cgiSysTimeInfoSet with unusually large or malformed 'sec' parameters. Log all successful and failed authentication attempts on the device web interface. Enable verbose logging if available. Search historical logs for similar patterns. Configure intrusion detection signatures to flag buffer overflow patterns in HTTP POST data targeting this endpoint. Implement network access controls to permit management access only from designated administrative subnets.
Why prioritize this
This vulnerability merits urgent attention due to its HIGH CVSS score (8.8), network exploitability, complete impact potential (confidentiality, integrity, availability), and publicly available exploit code. While authentication is required, many organizations do not adequately segregate or rotate credentials for network device management, making compromise plausible. The combination of remote attack surface and code execution capability elevates risk substantially.
Risk score, explained
The CVSS 3.1 score of 8.8 reflects network-based attack vector, low attack complexity, and high impact across all three security pillars (CIA). The requirement for low-privilege authentication prevents a perfect 9.9 score. In practice, risk depends on credential hygiene, network segmentation, and the operational criticality of affected Tenda devices in your environment.
Frequently asked questions
Do I need valid credentials to exploit this vulnerability?
Yes. The vulnerability requires an authenticated session, meaning the attacker must possess valid login credentials or have compromised them elsewhere. This significantly reduces the attack surface compared to unauthenticated exploits but does not eliminate risk if administrative credentials are weak, reused, or shared across devices.
What happens if the buffer overflow succeeds?
Successful exploitation can result in remote code execution (RCE) with the privileges of the httpd process, typically running as root on embedded devices. This permits attackers to modify configurations, exfiltrate data, pivot to other network segments, or install persistent backdoors.
Is this vulnerability in the CISA Known Exploited Vulnerabilities (KEV) catalog?
This vulnerability is not currently on the CISA KEV list. However, public exploit code exists, so organizations should not rely on KEV inclusion as a signal of urgency; treat it as actively exploitable regardless.
Are older Tenda W12 firmware versions also vulnerable?
The confirmed affected version is 3.0.0.7(4763). Other firmware versions may contain the same vulnerable code. Consult Tenda's security advisory for the complete list of affected firmware builds, and do not assume newer versions are patched without explicit confirmation.
This analysis is provided for informational purposes to help security teams prioritize vulnerability response. It is not a substitute for official vendor advisories or legal advice. Organizations must verify all technical claims against official Tenda documentation and conduct testing in their own environment before deploying patches or mitigations. SEC.co makes no warranty regarding the completeness or accuracy of this information relative to future disclosures or vendor actions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10062HIGHTRENDnet TEW-432BRP Stack Overflow – EOL Hardware Risk
- CVE-2026-10063HIGHTRENDnet TEW-432BRP Stack Overflow – End-of-Life Router Vulnerability
- CVE-2026-10065HIGHShibby Tomato 1.28 Stack Buffer Overflow in tomatodata.cgi
- CVE-2026-10066HIGHShibby Tomato Stack Buffer Overflow in UPS Service (RCE)
- CVE-2026-10067HIGHShibby Tomato 1.28 Stack Buffer Overflow in multimon.cgi
- CVE-2026-10119HIGHStack Overflow in TRENDnet TEW-432BRP End-of-Life Router
- CVE-2026-10120HIGHTRENDnet TEW-432BRP Buffer Overflow – No Patch Available
- CVE-2026-10121HIGHTRENDnet TEW-432BRP Stack Buffer Overflow