CVE-2026-2017

CRITICAL

IP-COM W30AP <1.0.0.11 - Buffer Overflow

Title source: llm

Description

A vulnerability was detected in IP-COM W30AP up to 1.0.0.11(1340). Affected by this issue is the function R7WebsSecurityHandler of the file /goform/wx3auth of the component POST Request Handler. The manipulation of the argument data results in stack-based buffer overflow. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Exploits (1)

gitee WORKING POC

by GXB0_0 · poc

https://gitee.com/GXB0_0/iot-vul/blob/master/IP-COM/W30AP/wx3auth-sprintf.md#poc

View Code ZIP pw:eip

References (6)

[Exploit, Third Party Advisory] https://gitee.com/GXB0_0/iot-vul/blob/master/IP-COM/W30AP/wx3auth-sprintf.md

[Exploit, Third Party Advisory] https://gitee.com/GXB0_0/iot-vul/blob/master/IP-COM/W30AP/wx3auth-sprintf.md#poc

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.344599

[Third Party Advisory, VDB Entry] https://vuldb.com/?id.344599

[Third Party Advisory, VDB Entry] https://vuldb.com/?submit.744062

[Third Party Advisory, VDB Entry] https://vuldb.com/?submit.744063

Scores

CVSS v3 9.8

EPSS 0.0016

EPSS Percentile 37.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-121 CWE-119 CWE-787

Status published

Affected Products (1)

ip-com/w30ap_firmware < 1.0.0.11\(1340\)

Timeline

Published Feb 06, 2026

Tracked Since Feb 18, 2026