How is CVE-2026-10189 exploited?

Network reachability (required): The vulnerable httpd service is exposed over the network, so an attacker must be able to reach the device's HTTP interface across the network to trigger the overflow. Authentication (required): The attack requires a low-privilege account on the device; any valid user credential is sufficient, but unauthenticated access alone does not trigger the vulnerable code path. Victim interaction (not-required): No action from another user or administrator on the device is needed; the attacker can complete the exploit entirely on their own. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

What is the impact of CVE-2026-10189?

Reads all data accessible to the httpd process, including stored credentials and configuration secrets on the device. Modifies persisted device configuration and system state, allowing the attacker to alter routing rules, DNS settings, or firmware behavior. Crashes or restarts the httpd service, disrupting network management and web-based administration for all users of the device. Achieves arbitrary code execution in the context of the httpd process, enabling further lateral movement into the network the device serves.

Back to search

HIGHCVE-2026-10189Published 2026-05-31Modified 2026-05-31CNA VulDB

CVE-2026-10189: Tenda W12 httpd cgiSysTimeInfoSet stack-based overflow

A vulnerability has been found in Tenda W12 3.0.0.7(4763). This vulnerability affects the function cgiSysTimeInfoSet of the file /bin/httpd. The manipulation of the argument sec leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A stack-based buffer overflow exists in the cgiSysTimeInfoSet function of the httpd binary on Tenda W12 firmware version 3.0.0.7(4763). The vulnerability is reachable over the network by a low-privilege authenticated user who can manipulate the 'sec' argument, causing the stack to be overwritten. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected device, up to and including remote code execution. No fix version has been published; HarborGuard tracks this advisory and will make a patched rebuild available as soon as upstream ships a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-10189 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including VulDB) within minutes of publication and matched against all container images in customer registries and CI/CD pipelines, including custom-built images that bundle Tenda W12 firmware or the affected httpd binary.

Available

Triage

Triage is available using the CVSS v4.0 score of 8.7 (HIGH), weighted against each customer environment's compliance policy to surface priority and route findings to the appropriate team inbox within the customer org.

Available

Patch

Because no fix version has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment upstream publishes a remediated firmware version. In the interim, customers can apply compensating controls such as network-policy isolation rules directly from the HarborGuard remediation panel.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable httpd service is exposed over the network, so an attacker must be able to reach the device's HTTP interface across the network to trigger the overflow.
AuthenticationRequired
The attack requires a low-privilege account on the device; any valid user credential is sufficient, but unauthenticated access alone does not trigger the vulnerable code path.
Victim interactionNot required
No action from another user or administrator on the device is needed; the attacker can complete the exploit entirely on their own.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

Reads all data accessible to the httpd process, including stored credentials and configuration secrets on the device.
Modifies persisted device configuration and system state, allowing the attacker to alter routing rules, DNS settings, or firmware behavior.
Crashes or restarts the httpd service, disrupting network management and web-based administration for all users of the device.
Achieves arbitrary code execution in the context of the httpd process, enabling further lateral movement into the network the device serves.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists yet for CVE-2026-10189, HarborGuard continuously re-checks the VulDB and NVD advisory feeds on every ingest cycle and will automatically make a patched-image rebuild available the moment Tenda publishes a remediated firmware version. For customers who opt into auto-remediation, that rebuild will trigger a regression test run and open a PR against affected workloads without manual intervention. While no patch is available, the HarborGuard remediation panel surfaces compensating-control recommendations: restricting network access to the device's HTTP management interface via Kubernetes network policy or firewall egress rules, and disabling remote management features where operationally feasible. Customers whose compliance policy flags HIGH-severity unpatched findings for escalation will see this CVE routed to the appropriate inbox automatically.

See how HarborGuard automates this

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Tenda / W12
3.0.0.7(4763)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References