PatchSiren cyber security CVE debrief
CVE-2026-10188 Tenda CVE debrief
A stack-based buffer overflow vulnerability exists in the Tenda W12 wireless access point firmware version 3.0.0.7(4763). The flaw resides in the `cgistaKickOff` function within the `/bin/httpd` binary, where improper handling of the `staMac` parameter allows remote attackers to overflow the stack buffer. The vulnerability is remotely exploitable and public exploit material has been published, increasing the risk of active exploitation. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no required privileges, and high impacts to confidentiality, integrity, and availability. The weakness classifications are CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow). Vendor attribution to Tenda is supported by the reference to the official Tenda website in source materials, though the vendor field carries low confidence and requires review. No CISA KEV listing or known ransomware campaign use is currently associated with this vulnerability.
- Vendor
- Tenda
- Product
- W12
- CVSS
- HIGH 7.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-31
- Original CVE updated
- 2026-05-31
- Advisory published
- 2026-05-31
- Advisory updated
- 2026-05-31
Who should care
Organizations deploying Tenda W12 wireless access points, particularly in exposed or semi-trusted network segments. Security teams responsible for embedded device and IoT security. Network administrators managing remote site connectivity where these devices may be deployed.
Technical summary
The vulnerability is a stack-based buffer overflow (CWE-121, CWE-119) in the `cgistaKickOff` function of `/bin/httpd` on Tenda W12 devices running firmware 3.0.0.7(4763). The `staMac` argument is not properly bounds-checked, allowing a remote attacker to send a crafted request that overflows the stack buffer. Successful exploitation could lead to arbitrary code execution with the privileges of the HTTP server process. The attack requires network access to the device but does not require authentication based on the CVSS vector (PR:L indicates low privileges required, though the description suggests remote attack possibility). Public exploit availability increases the likelihood of exploitation.
Defensive priority
HIGH
Recommended defensive actions
- Segment or restrict network access to Tenda W12 management interfaces to untrusted sources
- Monitor for unauthorized access attempts targeting /bin/httpd endpoints, particularly those involving staMac parameters
- Apply firmware updates from Tenda if and when patches become available for version 3.0.0.7(4763)
- Consider replacing or discontinuing use of affected devices if vendor patches are not forthcoming
- Review network logs for anomalous requests to the device that may indicate exploitation attempts
- Deploy intrusion detection signatures for stack-based buffer overflow patterns in embedded HTTP server implementations
Evidence notes
CVE description identifies affected product as Tenda W12 firmware 3.0.0.7(4763), vulnerable function as cgistaKickOff in /bin/httpd, and attack vector as remote stack-based buffer overflow via staMac argument manipulation. CVSS 4.0 score of 7.4 (HIGH) with network attack vector, low complexity, and high impacts. Source references include VulDB entries and a published exploit archive. Official CVE and NVD records confirm publication date of 2026-05-31. No KEV entry present. Vendor field marked low confidence with candidate evidence from reference domain.
Official resources
2026-05-31