PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10189 Tenda CVE debrief

A stack-based buffer overflow vulnerability exists in the Tenda W12 router firmware version 3.0.0.7(4763). The vulnerability is located in the `cgiSysTimeInfoSet` function within the `/bin/httpd` binary. Remote attackers can trigger the overflow by manipulating the `sec` parameter. The exploit has been publicly disclosed, increasing the likelihood of active exploitation. The vendor attribution to Tenda is supported by a reference to the official Tenda website in the CNA-submitted references, though the vendor field carries low confidence and requires review.

Vendor
Tenda
Product
W12
CVSS
HIGH 7.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-31
Original CVE updated
2026-05-31
Advisory published
2026-05-31
Advisory updated
2026-05-31

Who should care

Organizations deploying Tenda W12 routers for wireless access infrastructure; security teams managing SOHO or remote office networks; incident response teams tracking public router exploits.

Technical summary

The `cgiSysTimeInfoSet` function in `/bin/httpd` on Tenda W12 firmware 3.0.0.7(4763) fails to properly validate the length of the `sec` argument, resulting in a stack-based buffer overflow. The vulnerability is remotely exploitable without user interaction and has a public exploit available. CVSS 4.0 score of 7.4 (HIGH) reflects network attack vector, low attack complexity, and high impacts to confidentiality, integrity, and availability.

Defensive priority

HIGH

Recommended defensive actions

  • Restrict network access to Tenda W12 administrative interfaces to trusted management networks only
  • Monitor for unauthorized access attempts targeting `/bin/httpd` endpoints, particularly `cgiSysTimeInfoSet`
  • Apply firmware updates from Tenda when available; verify patch version exceeds 3.0.0.7(4763)
  • Consider network segmentation to isolate affected devices from critical infrastructure
  • Review logs for anomalous `sec` parameter values in HTTP requests to device management interfaces

Evidence notes

CVE published 2026-05-31. CVSS 4.0 vector: AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P. Weaknesses: CWE-119, CWE-121. Source references include a ZIP file hosted on v50to.cc domain and multiple VulDB entries. Vendor evidence derived from reference_domain_candidate 'V50to' and official Tenda website reference.

Official resources

Public exploit disclosed