PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10190 Tenda CVE debrief

A medium-severity denial-of-service vulnerability affects the Tenda W12 wireless access point firmware version 3.0.0.7(4763). The flaw resides in the cgiSysWebTimeoutSet function within the /bin/httpd binary of the device's Web Management Interface. Remote attackers with low privileges can trigger a denial of service by manipulating the web_over_time parameter. The vulnerability has been publicly disclosed with an available exploit, increasing the risk of active use. The assigned CVSS 4.0 vector indicates network attack vector, low attack complexity, no required user interaction, and high availability impact. The weakness is classified as CWE-404 (Improper Resource Shutdown or Release). Vendor attribution to Tenda is supported by a reference to the vendor's official Chinese website, though confidence remains low pending direct vendor confirmation. No CISA KEV listing or known ransomware campaign use has been identified.

Vendor
Tenda
Product
W12
CVSS
MEDIUM 5.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-31
Original CVE updated
2026-05-31
Advisory published
2026-05-31
Advisory updated
2026-05-31

Who should care

Organizations deploying Tenda W12 wireless access points for network infrastructure; security teams managing remote office or SMB networks; incident response teams tracking IoT/network equipment vulnerabilities with public exploits

Technical summary

The cgiSysWebTimeoutSet function in /bin/httpd on Tenda W12 firmware 3.0.0.7(4763) fails to properly handle manipulated web_over_time input, resulting in denial of service. Remote attackers with low privileges can exploit this without user interaction. The vulnerability is classified as CWE-404 (Improper Resource Shutdown or Release) with CVSS 4.0 score of 5.7 (MEDIUM). Public exploit availability increases exploitation risk.

Defensive priority

medium

Recommended defensive actions

  • Restrict remote access to the Tenda W12 Web Management Interface to trusted administrative hosts only
  • Monitor for anomalous requests to cgiSysWebTimeoutSet containing manipulated web_over_time parameters
  • Apply firmware updates from Tenda when available; verify version exceeds 3.0.0.7(4763)
  • Segment management interfaces onto isolated network segments without internet exposure
  • Review device logs for unexpected reboots or service disruptions that may indicate exploitation attempts

Evidence notes

Vulnerability disclosed via VulDB with public exploit availability confirmed. CVSS 4.0 vector and CWE-404 classification sourced from NVD record. Vendor identification derived from reference link to tenda.com.cn with low confidence flag. No vendor advisory or patch information available in source corpus.

Official resources

public