Tenda W12 Router RCE via Stack-Based Buffer Overflow (CVE-2026-10191)

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitybuffer-overflowcwe-119cwe-121
Tenda W12 Router RCE via Stack-Based Buffer Overflow (CVE-2026-10191)

The National Vulnerability Database (NVD) has detailed CVE-2026-10191, a high-severity stack-based buffer overflow vulnerability affecting Tenda W12 3.0.0.7(4763) routers. Specifically, the flaw resides in the cgiWifiMacFilterSet function within the /bin/httpd executable. Attackers can trigger this vulnerability by manipulating the wifiMacFilterSet.macList.mac argument.

This is a critical remote code execution (RCE) vector, rated 8.8 CVSSv3.1, allowing unauthenticated remote attackers to execute arbitrary code with high impact on confidentiality, integrity, and availability. The exploit has been publicly disclosed, meaning it’s likely already being weaponized in the wild. Given the widespread use of such consumer-grade network devices in home offices and small businesses, this presents a significant attack surface.

Defenders must recognize that these types of vulnerabilities in network infrastructure devices are prime targets for initial access. An exploited router can become a persistent beachhead for lateral movement, data exfiltration, or even a pivot point for further attacks on the internal network. Patching is paramount, but often challenging with unmanaged or EOL devices.

What This Means For You

  • If your organization or its remote workers use Tenda W12 3.0.0.7(4763) routers, you are directly exposed to remote code execution. Immediately verify your router's firmware version. If affected, update to a patched version or replace the device if no patch is available. Assume compromise if you cannot confirm the patch status.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1071.004 Web Protocols Command and Control

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

Tenda W12 Router RCE via Stack Buffer Overflow (CVE-2026-10191)

Sigma YAML — free preview 
title: Tenda W12 Router RCE via Stack Buffer Overflow (CVE-2026-10191)
id: scw-2026-05-31-ai-1
status: experimental
level: critical
description: |
  This rule detects attempts to exploit CVE-2026-10191 by identifying requests targeting the /bin/httpd executable with the cgiWifiMacFilterSet function and the specific parameter 'wifiMacFilterSet.macList.mac', which is vulnerable to a stack-based buffer overflow.
author: SCW Feed Engine (AI-generated)
date: 2026-05-31
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-10191/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/bin/httpd'
      cs-uri-query|contains:
          - 'cgiWifiMacFilterSet'
      cs-uri-query|contains:
          - 'wifiMacFilterSet.macList.mac='
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-10191 Buffer Overflow Tenda W12 3.0.0.7(4763)
CVE-2026-10191 Buffer Overflow Vulnerable function: cgiWifiMacFilterSet in /bin/httpd
CVE-2026-10191 Buffer Overflow Vulnerable argument: wifiMacFilterSet.macList.mac

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 31, 2026 at 19:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-48209: OTRS XSS Exposes Agent Sessions to Attackers

CVE-2026-48209 — An improper neutralization of user-controllable input in OTRS or ((OTRS)) Community Edition ticket handling allows authenticated attackers to perform reflected cross-site scripting (XSS)...

vulnerabilityCVEhigh-severitycross-site-scripting-xsscwe-79cwe-116
/SCW Vulnerability Desk /HIGH /7.1 /⚑ 4 IOCs /⚙ 2 Sigma

CVE-2026-48208 — Denial of Service

CVE-2026-48208 — An improper neutralization of active SVG content in OTRS or ((OTRS)) Community Edition ticket article rendering allows attackers to inject specially crafted SVG...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-400cwe-791
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-48189 — OTRS Customer Backend Module Vulnerability

CVE-2026-48189 — An improper Input Validation vulnerability in OTRS Customer Backend module allows to access customer information which are restricted to other groups. Please note...

vulnerabilityCVEmedium-severitycwe-200
/SCW Vulnerability Desk /MEDIUM /5.7 /⚑ 2 IOCs /⚙ 1 Sigma