CVE-2026-10188

Vulnerability

The vulnerability resides in the cgistaKickOff function within the /bin/httpd binary of Tenda W12 firmware version 3.0.0.7(4763) [1]. A stack-based buffer overflow occurs when manipulating the staMac argument. This allows remote exploitation without authentication, as the HTTP daemon processes the input directly [1].

Exploitation

An attacker can send a crafted HTTP request to the vulnerable endpoint, passing an overly long staMac parameter to the cgistaKickOff function. No prior authentication is required; the attack is performed remotely over the network [1]. The exploit has been published and may be used [1].

Impact

Successful exploitation leads to stack-based buffer overflow, potentially allowing remote code execution (RCE) on the device. An attacker could gain full control of the affected Tenda W12 router, leading to denial of service, information disclosure, or further network compromise [1].

Mitigation

As of publication, Tenda has not released a patched firmware version. Users should monitor the vendor's official website [1] for updates. Until a fix is available, consider restricting remote access to the device's web interface, placing the device behind a firewall, and disabling unnecessary services. This CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of 2026-05-31 [1].