HIGH 8.8

CVE-2026-10191: Tenda W12 Stack Buffer Overflow in Wi-Fi MAC Filter – Patch & Detection Guide

A stack-based buffer overflow exists in Tenda W12 firmware version 3.0.0.7(4763) within the Wi-Fi MAC filter configuration function. An authenticated attacker can exploit this by sending a specially crafted MAC address list parameter to the web interface, causing memory corruption that may lead to code execution, information disclosure, or service disruption. The vulnerability is reachable over the network and exploit code has been made publicly available.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-119, CWE-121
Affected products
0 configuration(s)
Published / Modified
2026-05-31 / 2026-06-17

NVD description (verbatim)

A vulnerability was determined in Tenda W12 3.0.0.7(4763). Impacted is the function cgiWifiMacFilterSet of the file /bin/httpd. This manipulation of the argument wifiMacFilterSet.macList.mac causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability resides in the cgiWifiMacFilterSet function of /bin/httpd in Tenda W12 3.0.0.7(4763). The wifiMacFilterSet.macList.mac parameter is processed without proper bounds checking, enabling a stack-based buffer overflow (CWE-119, CWE-121). An authenticated attacker can overflow the stack buffer by supplying an oversized MAC address string, corrupting the call stack and potentially achieving arbitrary code execution within the httpd process context. The flaw is remotely exploitable with low attack complexity and does not require user interaction.

Business impact

Successful exploitation allows an authenticated attacker to execute arbitrary code on the affected router, potentially granting full device compromise. An attacker could intercept network traffic, modify firewall rules, pivot to internal networks, or cause denial of service. For organizations deploying Tenda W12 devices as network edge equipment or branch office gateways, this vulnerability represents a significant risk to network perimeter integrity and data confidentiality.

Affected systems

Tenda W12 firmware version 3.0.0.7(4763) is confirmed vulnerable. Organizations should verify whether other Tenda W12 firmware versions or related Tenda product lines share the same code path; this determination requires direct consultation with Tenda's security advisories. The vulnerability requires network access and valid administrative or user credentials to trigger.

Exploitability

This vulnerability has a CVSS 3.1 score of 8.8 (HIGH) with network reachability, low attack complexity, and authentication required. While the attack requires valid login credentials, the public disclosure of exploit code lowers the barrier to weaponization. Threat actors with network access and stolen or compromised credentials can quickly move from discovery to exploitation. The low complexity means no special environmental configuration is needed to trigger the flaw.

Remediation

Verify and deploy the latest firmware release from Tenda for the W12 product line to remediate this buffer overflow. Until patched firmware is available or can be deployed, restrict administrative access to the W12 web interface through network segmentation, firewall rules, or VPN gating. Review access logs for suspicious MAC filter configuration attempts. Consider temporarily disabling the MAC filter feature if it is not operationally critical.

Patch guidance

Contact Tenda support or visit their firmware download portal to obtain and verify the latest W12 firmware build. Apply patches during a maintenance window, backing up device configuration beforehand. Test patches in a non-production environment first if possible. Verify that the installed version differs from 3.0.0.7(4763) and confirm via Tenda's security advisories that the buffer overflow in cgiWifiMacFilterSet has been addressed. Document the patch date and version for compliance and incident response records.

Detection guidance

Monitor router logs and web server access logs for POST or GET requests to /bin/httpd containing the wifiMacFilterSet parameter with abnormally long or malformed MAC address values. Use intrusion detection signatures targeting buffer overflow patterns in MAC filter input. Correlate failed authentication attempts or credential reuse with subsequent successful logins followed by Wi-Fi configuration changes. Check for unexpected process behavior or spawned shells from the httpd process. Implement network telemetry to detect lateral movement or unusual traffic patterns following a successful login to the device.

Why prioritize this

This vulnerability merits immediate priority due to the combination of remote network accessibility, public exploit availability, high CVSS score (8.8), and the potential for complete device compromise. Although authentication is required, the prevalence of weak or reused credentials on IoT devices and the criticality of router security to network defense justify urgent patching. Organizations should treat this as a high-priority remediaton target within 30 days.

Risk score, explained

The CVSS 3.1 score of 8.8 reflects network-based attack feasibility, low complexity, required authentication, and impacts to confidentiality, integrity, and availability. The score is tempered by the authentication requirement; however, this is offset by the public exploit disclosure and the attractive target profile of routers for lateral network movement. In environments where router credentials are not strictly controlled or where default credentials remain in use, the real-world risk may be higher than the base score suggests.

Frequently asked questions

Do I need valid credentials to exploit this vulnerability?

Yes. The CVSS vector indicates that authentication (PR:L) is required. An attacker must have valid user or administrative credentials for the Tenda W12 web interface. However, many organizations use default, weak, or shared credentials on router interfaces, making credential acquisition a practical barrier in many deployments.

Is this vulnerability on the CISA Known Exploited Vulnerabilities list?

No, this vulnerability is not currently tracked in the CISA KEV catalog as of the last update. However, public exploit code has been disclosed, meaning the technical details and proof-of-concept are available to potential attackers. Absence from the KEV list does not indicate lower risk; it may simply reflect timing or lack of observed active exploitation in federal systems.

What happens if an attacker successfully overflows the stack buffer?

A stack-based buffer overflow can corrupt the call stack, potentially allowing an attacker to overwrite return addresses or function pointers. This may enable arbitrary code execution within the httpd process, data exfiltration from device memory, or denial of service through process crash. The attacker would then operate with the privileges of the httpd process, typically running as root or a privileged system user on the router.

Can this vulnerability be exploited without network access?

No. The CVSS vector specifies AV:N (network-adjacent), meaning the attacker must have network access to reach the affected httpd service. However, in typical deployments the router's web interface is accessible from the LAN, internal networks, and sometimes the internet if port forwarding or cloud management is enabled. Threat actors with any network foothold or compromised credentials can attempt exploitation.

This analysis is based on the published CVE record as of June 2026. SEC.co does not verify patch availability or conduct independent testing of fixes. Organizations must validate all remediation steps against Tenda's official security advisories and test in their own environments. The assessment assumes the accuracy of the published CVE details and CVSS scoring; variations in device configuration, firmware variants, or network architecture may affect real-world risk. This information is provided for informational purposes and does not constitute professional security advice or legal counsel. Always verify vendor patch guidance and consult with your security team before deploying changes to production infrastructure. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).