Which versions of Tenda W12 are affected by CVE-2026-10188?

Tenda W12 wireless access point firmware versions 3.0.0.7(4763) and earlier contain a high-severity vulnerability allowing remote code execution; publicly available exploit code exists, creating…

Is there a public PoC exploit available for CVE-2026-10188?

Yes, a public proof-of-concept exploit is available for CVE-2026-10188. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-10188?

24 hours: Inventory all Tenda W12 devices and identify those running firmware 3.0.0.7(4763) or earlier; restrict network access to management interfaces via firewall ACLs. 7 days: Contact Tenda support for confirmed patch timeline; implement network segmentation isolating vulnerable devices from critical infrastructure. 30 days: Apply Tenda firmware patches immediately upon vendor release; complete migration to patched firmware versions for all affected devices or plan replacement with alternative vendors.

Tenda W12 CVE-2026-10188

Q: What is the CVSS score of CVE-2026-10188?

CVE-2026-10188 has a CVSS 4.0 base score of 7.4 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-33510 HIGH

Stack-based Buffer Overflow (CWE-121)

2026-05-31 VulDB

GHSA-jwrp-439h-fx3w

Buffer Overflow Tenda Stack Overflow

7.4

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

7.4 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

May 31, 2026 - 15:28 vuln.today

v3 (cvss_changed)

Analysis Updated

May 31, 2026 - 15:27 vuln.today

v2 (cvss_changed)

Re-analysis Queued

May 31, 2026 - 15:22 vuln.today

cvss_changed

CVSS changed

May 31, 2026 - 15:22 NVD

8.8 (HIGH) 7.4 (HIGH)

Analysis Generated

May 31, 2026 - 15:20 vuln.today

DescriptionCVE.org

A flaw has been found in Tenda W12 3.0.0.7(4763). This affects the function cgistaKickOff of the file /bin/httpd. Executing a manipulation of the argument staMac can lead to stack-based buffer overflow. The attack may be performed from remote. The exploit has been published and may be used.

AnalysisAI

Stack-based buffer overflow in Tenda W12 firmware 3.0.0.7(4763) allows remote attackers with low privileges to corrupt memory via the staMac parameter processed by the cgistaKickOff function in /bin/httpd. Publicly available exploit code exists (hosted at cdn2.v50to.cc), elevating practical risk despite no current CISA KEV listing. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify exposed W12 admin interface

Delivery

Authenticate with low-privilege or default credentials

Exploit

Send crafted POST to cgistaKickOff with oversized staMac

Install

Overflow stack buffer in /bin/httpd

Hijack saved return address to shellcode

Execute

Execute commands as httpd (typically root)

Impact

Pivot into internal wireless network

Recon

Identify exposed W12 admin interface

Delivery

Authenticate with low-privilege or default credentials

Exploit

Send crafted POST to cgistaKickOff with oversized staMac

Install

Overflow stack buffer in /bin/httpd

Hijack saved return address to shellcode

Execute

Execute commands as httpd (typically root)

Impact

Pivot into internal wireless network

Vulnerability AssessmentAI

Exploitation	Exploitation requires network reachability to the W12 administrative HTTP daemon (/bin/httpd) and low-privilege authenticated access to the web management interface (CVSS PR:L), meaning the attacker must possess valid credentials of at least an unprivileged management role. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Risk signals are mixed but lean toward elevated practical concern. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker with low-privilege credentials to the W12 web UI (or who has obtained them via default/weak password reuse) sends a crafted HTTP request to the cgistaKickOff handler with an oversized staMac parameter, overflowing the stack buffer in /bin/httpd. Using the publicly available PoC archive, the attacker overwrites the saved return address to redirect execution to embedded shellcode, gaining code execution as the httpd process - typically root on this class of device - and pivoting into the internal wireless network.
Remediation	No vendor-released patch identified at time of analysis - Tenda has not published an advisory or fixed firmware version referenced in the available data, so monitor https://www.tenda.com.cn/ for a firmware update superseding 3.0.0.7(4763). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all Tenda W12 devices and identify those running firmware 3.0.0.7(4763) or earlier; restrict network access to management interfaces via firewall ACLs. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-38065 CRITICAL Act Now

9.8 Jun 15

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_ims_on_with_apn via the

CVE-2026-38060 CRITICAL Act Now

9.8 Jun 15

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_unlock_sim via the pin p

CVE-2026-38061 CRITICAL Act Now

9.8 Jun 15

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_set_volume via the volum

CVE-2026-38062 CRITICAL Act Now

9.8 Jun 15

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_set_rat_mode via the rat

CVE-2026-38063 CRITICAL Act Now

9.8 Jun 15

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_radio_on_with_ia_apn via

CVE-2026-10188 vulnerability details – vuln.today

Back

Tenda W12 CVE-2026-10188

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code