eastbaycyber

CVE-2026-10192: Tenda W12 Buffer Overflow Vulnerability

CVE explainers 4 min read
SR
Security Research Desk Expert reviewed
Threat intelligence · Human-verified · Updated 2026-05-31
▲ Escalation ViewOne CVE, briefed at three altitudes — skim the Brief, weigh the Impact, or work the Runbook. The way a SOC actually reads it.
CISOBrief · 30-second brief
Field Value
CVE ID CVE-2026-10192
CVSS score 8.8
Attack vector Remote
Auth required Not clearly stated in accessible source material
Patch status Not verified
Affected product Tenda W12
Confirmed affected version 3.0.0.7(4763)
Fixed version Not verified

TL;DR - Remote stack overflow in Tenda W12 /bin/httpd set_local_time_0. - Confirmed affected firmware: 3.0.0.7(4763); public exploit material exists. - No verified fix or confirmed in-the-wild exploitation, so treat internet-exposed devices as urgent.

What this vulnerability is and why it matters

CVE-2026-10192 is a high-severity stack-based buffer overflow affecting the Tenda W12 web management component. The flaw is attributed to the set_local_time_0 function in /bin/httpd, which is triggered through manipulation of the Time argument. This remote attack means that the device’s web administration interface poses a significant risk.

Buffer overflows in embedded web servers can lead to denial of service, process crashes, or even remote code execution. While a public exploit archive exists, the details of authentication requirements and exploitability remain unclear, emphasizing the urgency for organizations to address their exposure to vulnerabilities like CVE-2026-10192.

For companies utilizing Tenda hardware, especially in branch environments, a public exploit combined with a remote attack vector should prompt immediate action to review network configurations and apply security controls.

Exploitation status: what is known, and what is not

Public exploit material is available, including a reference to the exploit archive at http://cdn2.v50to.cc/set_local_time_0_overflow.zip. However, exploitation in the wild has not been confirmed, and there is no official patch or fixed version available as of now. Defenders should be cautious since the existence of exploit material often leads to opportunistic scanning and potential exploitation, particularly for devices with exposed interfaces.

AnalystImpact · assess the risk

Affected versions and exposure assumptions

The only confirmed affected version is Tenda W12 firmware 3.0.0.7(4763). There is no additional verified range, making it crucial for defenders to check their firmware and take precautionary measures if running this version. Without a confirmed fix from the vendor, treat devices as potentially at risk until your firmware can be validated against the vulnerable version.

For further insight into incident response strategies, see our article on how to write an incident response plan.

Risk assessment for defenders

The high CVSS base score of 8.8 emphasizes the severity of this issue. If the Tenda W12’s web management interface is accessible from the internet or unsecured segments of your network, the risk can increase dramatically. Compromised devices may allow attackers to execute arbitrary commands, leading to broader network vulnerabilities.

Consider employing common security measures such as restricting access to trusted management networks, as highlighted in our glossary on OAuth security practices.

Technical deep dive for practitioners

With a focus on improving security for embedded web servers and understanding exploits, it’s critical to grasp that inadequate bounds checking of the Time argument can lead to serious vulnerabilities. Ensure your security measures consider limitations of these devices, closely monitoring interactions and potential attack vectors.


This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

ResponderRunbook · act now

What to do now

  1. Verify if any Tenda W12 devices are in your inventory and whether they are running firmware 3.0.0.7(4763).
  2. Immediately reduce exposure to this vulnerability, such as disabling disabled remote management and restricting access to a secure admin subnet.

Technical Notes

# Example: allow router admin access only from a specific workstation
iptables -A FORWARD -p tcp -s 192.0.2.10 -d 192.0.2.50 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.0.2.10 -d 192.0.2.50 --dport 443 -j ACCEPT

# Drop other access attempts
iptables -A FORWARD -p tcp -d 192.0.2.50 --dport 80 -j DROP
iptables -A FORWARD -p tcp -d 192.0.2.50 --dport 443 -j DROP

Detection and hunting guidance

Monitoring for unusual access patterns to the management interface is vital. Track requests that target the Time parameter, particularly those with oversized values, as they may signify probing or exploitation attempts.

grep -E 'Time=.{128,}' /var/log/httpd/access.log

Mitigation and patching guidance

Until there is an official vendor patch, focus on reducing exposure and securing devices. Consult our overview on differential privacy for enhancing privacy measures while using vulnerable devices.

Technical Notes

If firmware updates become available, always validate the version and checksum before applying. Meanwhile, prioritize securing your network by disabling remote management where feasible.

Last verified: 2026-05-31

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.