How is CVE-2026-10190 exploited?

Network reachability (required): The attacker must reach the device's web management interface over the network; the CVSS vector specifies AV:N, meaning no local or physical access is needed. Authentication (required): The CVSS vector specifies PR:L, meaning a low-privilege account on the web management interface is sufficient to trigger the vulnerability. Victim interaction (not-required): The CVSS vector specifies UI:N; the attacker can exploit the flaw without any action from another user or administrator. Attack complexity (info): The CVSS vector specifies AC:L and AT:N, meaning the exploit is reliable, requires no special timing, and imposes no environmental pre-conditions.

What is the impact of CVE-2026-10190?

Crashes or hangs the httpd process on the Tenda W12, taking down the web management interface for the duration of the outage. Administrators lose the ability to manage or reconfigure the device through the web UI until the service recovers or the device is rebooted. Repeated exploitation can sustain a persistent denial-of-service condition against the management plane of the affected router.

Back to search

HIGHCVE-2026-10190Published 2026-05-31Modified 2026-05-31CNA VulDB

CVE-2026-10190: Tenda W12 Web Management httpd cgiSysWebTimeoutSet denial of service

A vulnerability was found in Tenda W12 3.0.0.7(4763). This issue affects the function cgiSysWebTimeoutSet of the file /bin/httpd of the component Web Management Interface. The manipulation of the argument web_over_time results in denial of service. It is possible to launch the attack remotely. The exploit has been made public and could be used.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A denial-of-service vulnerability exists in the web management interface (httpd) of the Tenda W12 router, firmware version 3.0.0.7(4763). The flaw is in the cgiSysWebTimeoutSet function, where an attacker can manipulate the web_over_time argument to crash or hang the httpd process. Exploitation is possible remotely with a low-privilege account, and a proof-of-concept has been made public. No fix version has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-10190 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including VulDB, covering custom-built images that bundle the Tenda W12 httpd binary. Any image in a customer registry or CI pipeline that includes the affected firmware component is flagged automatically.

Available

Triage

HarborGuard scores this issue at CVSS 7.1 (HIGH) using the v4.0 vector and is capable of weighting that score against each customer environment's compliance policy to determine urgency and routing. Triage findings are routed to the appropriate team inbox within the customer organization based on policy configuration.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will trigger automatically once a fix version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the device's web management interface over the network; the CVSS vector specifies AV:N, meaning no local or physical access is needed.
AuthenticationRequired
The CVSS vector specifies PR:L, meaning a low-privilege account on the web management interface is sufficient to trigger the vulnerability.
Victim interactionNot required
The CVSS vector specifies UI:N; the attacker can exploit the flaw without any action from another user or administrator.
Attack complexityDetail
The CVSS vector specifies AC:L and AT:N, meaning the exploit is reliable, requires no special timing, and imposes no environmental pre-conditions.

Blast Radius

Crashes or hangs the httpd process on the Tenda W12, taking down the web management interface for the duration of the outage.
Administrators lose the ability to manage or reconfigure the device through the web UI until the service recovers or the device is rebooted.
Repeated exploitation can sustain a persistent denial-of-service condition against the management plane of the affected router.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-10190, the platform monitors the VulDB advisory and all upstream feeds on every ingest cycle, ready to surface a patched-image rebuild the moment Tenda publishes a fix. In the meantime, customers are advised to use HarborGuard network-policy controls to isolate containers or images that bundle the affected httpd binary, apply egress filtering to restrict access to the web management interface to trusted management networks only, and consider feature-flag gating or firewall rules to block external access to the cgiSysWebTimeoutSet endpoint. For customers with auto-remediation enabled, a rebuilt image, regression test run, and PR against affected workloads will be triggered automatically once an upstream fix version is confirmed. The public availability of a proof-of-concept raises the practical risk for any exposed deployment, making network isolation the most effective compensating control until a patch is released.

See how HarborGuard automates this

CVSS v4.0: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Tenda / W12
3.0.0.7(4763)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P

References