Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-10189

CVE-2026-10189: Tenda W12 Buffer Overflow Vulnerability

CVE-2026-10189 is a stack-based buffer overflow in Tenda W12 router that allows remote attackers to exploit the cgiSysTimeInfoSet function. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-10189 Overview

CVE-2026-10189 is a stack-based buffer overflow vulnerability in the Tenda W12 wireless access point running firmware version 3.0.0.7(4763). The flaw resides in the cgiSysTimeInfoSet function within the /bin/httpd binary. Attackers can trigger the overflow by manipulating the sec argument supplied to the HTTP daemon. The vulnerability is reachable over the network and the exploit details have been published, increasing the risk of opportunistic attacks against exposed devices. The issue is classified under CWE-119 for improper restriction of operations within memory buffer bounds.

Critical Impact

A remote authenticated attacker can corrupt stack memory in the httpd process to achieve arbitrary code execution on the device, compromising confidentiality, integrity, and availability of the access point.

Affected Products

  • Tenda W12 wireless access point
  • Firmware version 3.0.0.7(4763)
  • /bin/httpd web management service

Discovery Timeline

  • 2026-05-31 - CVE-2026-10189 published to NVD
  • 2026-06-01 - Last updated in NVD database

Technical Details for CVE-2026-10189

Vulnerability Analysis

The vulnerability exists in the cgiSysTimeInfoSet handler exposed by the embedded HTTP server (/bin/httpd) on the Tenda W12. This handler processes system time configuration requests submitted through the web management interface. The sec argument, which represents a time component, is copied into a fixed-size stack buffer without proper length validation. An attacker who supplies an oversized sec value overruns the buffer and overwrites adjacent stack memory, including the saved return address.

Because embedded MIPS or ARM binaries in consumer networking devices typically lack modern exploit mitigations such as stack canaries and full ASLR, an attacker can redirect control flow to attacker-supplied shellcode or to ROP gadgets within httpd itself. Successful exploitation yields code execution as the user running the web service, generally root on this device class.

Root Cause

The root cause is missing bounds checking when copying the sec parameter into a stack-allocated buffer inside cgiSysTimeInfoSet. The function trusts the attacker-controlled input length, which permits memory corruption past the buffer boundary as described in CWE-119.

Attack Vector

An authenticated attacker sends a crafted HTTP request to the management endpoint backed by cgiSysTimeInfoSet, providing an oversized sec parameter. The malformed request reaches the vulnerable copy operation, overflowing the stack buffer. The attack requires network reachability to the management interface but no user interaction. The exploit archive is referenced in the VulDB entry for CVE-2026-10189 and in the published exploit archive.

No verified code examples are available for inclusion. See the referenced VulDB submission for technical proof-of-concept details.

Detection Methods for CVE-2026-10189

Indicators of Compromise

  • Unexpected crashes or restarts of the httpd process on the Tenda W12 device
  • Inbound HTTP POST requests to the system time configuration endpoint containing abnormally long sec parameter values
  • New or unauthorized administrative sessions originating from untrusted networks targeting the device management interface
  • Outbound connections from the access point to unfamiliar hosts following management traffic

Detection Strategies

  • Inspect web server and router system logs for repeated requests to time configuration URIs with unusual payload sizes
  • Deploy network IDS signatures that flag HTTP request bodies containing oversized sec arguments destined for Tenda management interfaces
  • Correlate device reboots with preceding HTTP traffic to the management plane to identify exploitation attempts

Monitoring Recommendations

  • Restrict and monitor access to the Tenda W12 management interface from non-administrative network segments
  • Forward syslog output from the device to a centralized log platform and alert on httpd crash signatures
  • Track outbound connections initiated by network appliances, which should rarely originate traffic to the internet

How to Mitigate CVE-2026-10189

Immediate Actions Required

  • Remove the Tenda W12 web management interface from any untrusted or internet-facing network and bind it to a dedicated management VLAN
  • Enforce strong administrative credentials and disable default accounts to raise the barrier for the authenticated attack precondition
  • Audit recent administrative access logs for unauthorized logins or configuration changes to time-related settings

Patch Information

At the time of publication, no vendor patch is referenced in the NVD entry or in the VulDB advisory. Consult the Tenda official website for firmware updates addressing the cgiSysTimeInfoSet overflow and apply any released firmware that supersedes version 3.0.0.7(4763).

Workarounds

  • Place the device behind a firewall and block inbound TCP access to the HTTP management port from all but trusted hosts
  • Disable remote web administration if the feature is enabled, restricting management to the local LAN only
  • Replace the device with a supported model if the vendor does not publish a fix within an acceptable timeframe
bash
# Example: restrict management access to a single admin host via iptables on an upstream gateway
iptables -A FORWARD -p tcp -s 192.0.2.10 -d <tenda_w12_ip> --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -d <tenda_w12_ip> --dport 80 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne