CVE-2026-10192: Tenda W12 Stack Overflow Remote Code Execution
A stack-based buffer overflow vulnerability exists in Tenda W12 firmware version 3.0.0.7(4763). An authenticated attacker can send a specially crafted time-setting request to the web interface that causes a memory corruption condition, potentially allowing arbitrary code execution on the affected device. Public exploit code is available, increasing the practical risk.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-119, CWE-121
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-31 / 2026-06-17
NVD description (verbatim)
A vulnerability was identified in Tenda W12 3.0.0.7(4763). The affected element is the function set_local_time_0 of the file /bin/httpd. Such manipulation of the argument Time leads to stack-based buffer overflow. The attack can be launched remotely. The exploit is publicly available and might be used.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in the set_local_time_0 function within the /bin/httpd binary. The Time parameter fails to implement proper bounds checking before copying user-supplied input to a fixed-size stack buffer. This classic stack-based buffer overflow (CWE-119, CWE-121) can be exploited by an authenticated user to overwrite the stack frame, hijack control flow, and execute arbitrary commands with the privileges of the httpd process. The flaw does not require user interaction and can be triggered over the network.
Business impact
Compromise of a Tenda W12 router provides an attacker with a foothold in the network perimeter. An adversary with valid credentials—obtained through phishing, default credentials, or prior compromise—can escalate to remote code execution, giving them the ability to intercept traffic, pivot to internal systems, deploy malware, or establish persistent access. For organizations relying on this device for branch office connectivity or guest network isolation, such compromise directly undermines network segmentation and defense-in-depth strategies.
Affected systems
Tenda W12 firmware version 3.0.0.7(4763) is confirmed vulnerable. Tenda W12 devices running this or earlier firmware versions are at risk. Organizations should verify their deployed Tenda W12 firmware revision immediately. Consult Tenda's advisories to determine whether other Tenda product lines or firmware branches are similarly affected.
Exploitability
This vulnerability requires authentication to trigger—an attacker must either have valid login credentials or bypass the authentication mechanism separately. The CVSS vector reflects this requirement (PR:L). However, the public availability of exploit code significantly lowers the barrier to weaponization. Organizations with weak credential hygiene, exposed management interfaces, or default credentials remain at elevated risk. The attack surface includes any network path that can reach the device's web interface.
Remediation
Firmware update is the definitive remediation. Identify the latest stable firmware release from Tenda for the W12 model and apply it to all affected devices. If no patched firmware is immediately available, implement network controls: restrict access to the device's web management interface to trusted administrative IPs, enforce strong authentication policies, and monitor for exploitation attempts. Consider replacing the device with an alternative vendor platform if Tenda does not provide timely patches.
Patch guidance
Check Tenda's official support website for W12 firmware releases newer than 3.0.0.7(4763). Download the latest firmware directly from Tenda, verify the checksum or signature if provided, and schedule a maintenance window to apply the update. Most Tenda devices can be updated via the web interface under System Tools or similar. Document pre- and post-update configurations, and test connectivity after the upgrade. If Tenda has not released a patched firmware version, contact their support channel for guidance and an expected remediation timeline.
Detection guidance
Monitor web server logs on affected Tenda W12 devices for POST requests to the set_local_time_0 endpoint or similar time-configuration URIs. Look for payloads with unusually long Time parameter values, null bytes, or characters inconsistent with standard timestamp formats. Network-based detection can flag connections to the Tenda device's management interface from unexpected sources. Intrusion detection systems may have signatures for stack overflow exploitation patterns; consult your IDS vendor for updates. Behavioral indicators include sudden device resets, unexpected process execution, or failed httpd process logs.
Why prioritize this
A CVSS 8.8 HIGH-severity vulnerability with authenticated remote code execution, combined with publicly available exploit code, demands immediate attention. While authentication is required, the prevalence of weak router credentials and the critical role routers play in network access control make this a top-tier priority for any organization deploying Tenda W12 devices.
Risk score, explained
The CVSS 3.1 score of 8.8 reflects high impact (confidentiality, integrity, and availability all compromised via code execution), network-based attack surface, and low attack complexity. The PR:L requirement (authenticated access) prevents a 9.8 or higher score. However, the existence of public exploit code and the credential-reuse problem in many organizations elevate real-world risk above the CVSS score alone. Rate this as HIGH priority and treat it as critically urgent for any device exposed on a management network or accessible to untrusted users.
Frequently asked questions
Do I need valid Tenda W12 credentials to exploit this vulnerability?
Yes. The vulnerability requires prior authentication (PR:L in the CVSS vector). However, many Tenda devices ship with default credentials or lack credential rotation, making this a practical entry point. If your W12 has strong, unique credentials and is not exposed to untrusted networks, the risk is lower—but you should still update firmware.
Is this vulnerability on the CISA KEV catalog?
No, this vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog. However, public exploit code exists, and organizations should not wait for KEV inclusion to remediate. Treat it as actively exploitable given the public tooling available.
What happens if I cannot update the Tenda W12 firmware immediately?
Implement compensating controls: restrict web interface access via IP allowlisting (limit to trusted admin networks), enforce strong authentication policies, disable remote management if possible, and segment the device's network traffic. Monitor logs and network activity for exploitation attempts. Establish a timeline with your IT leadership to obtain and test a patched firmware version within 30 days.
Can this vulnerability be exploited without network access to the device?
No. The vulnerability requires network connectivity to the Tenda W12's web interface (default HTTP/HTTPS on port 80/443). However, if the device is accessible from the Internet, an attacker with credentials can exploit it remotely. Ensure your W12 is not exposed to untrusted networks or the public Internet.
This report is provided for informational purposes to assist security professionals in vulnerability management. The information is derived from available public sources and vendor advisories. SEC.co does not provide warranty regarding the accuracy or completeness of this analysis. Always verify patch availability and firmware version compatibility directly with Tenda before deployment. Testing in a non-production environment is strongly recommended. Users are responsible for assessing risk within their own environment and determining appropriate remediation timelines. Consult vendor documentation and your organization's change management process for safe deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10062HIGHTRENDnet TEW-432BRP Stack Overflow – EOL Hardware Risk
- CVE-2026-10063HIGHTRENDnet TEW-432BRP Stack Overflow – End-of-Life Router Vulnerability
- CVE-2026-10065HIGHShibby Tomato 1.28 Stack Buffer Overflow in tomatodata.cgi
- CVE-2026-10066HIGHShibby Tomato Stack Buffer Overflow in UPS Service (RCE)
- CVE-2026-10067HIGHShibby Tomato 1.28 Stack Buffer Overflow in multimon.cgi
- CVE-2026-10119HIGHStack Overflow in TRENDnet TEW-432BRP End-of-Life Router
- CVE-2026-10120HIGHTRENDnet TEW-432BRP Buffer Overflow – No Patch Available
- CVE-2026-10121HIGHTRENDnet TEW-432BRP Stack Buffer Overflow