A critical stack-based buffer overflow in Tenda W12 firmware enables remote attackers to execute arbitrary code and fully compromise the device.

The cgiSysTimeInfoSet function in /bin/httpd is vulnerable to a stack-based buffer overflow triggered by manipulating the 'sec' argument. This allows remote attackers to overwrite memory and execute arbitrary code.

The CVSS score of 8.8 reflects the high risk of this critical vulnerability. A compromised router can be used to monitor network traffic, perform man-in-the-middle attacks, or serve as a launchpad for broader network intrusions.

Immediate Action: Update the firmware on all Tenda W12 devices to the latest available version.

Proactive Monitoring: Monitor device logs and network traffic for suspicious activity related to time setting requests or interface access.

Compensating Controls: Implement strict firewall rules to prevent unauthorized access to the router's web management interface.

Public Exploit Available: true

Given the availability of public exploits and the critical nature of this flaw, administrators must prioritize firmware updates for all Tenda W12 units. Ensure the device management interface is not exposed to the internet.