CVE-2026-2017
Unknown Unknown - Not Provided
Stack-Based Buffer Overflow in IP-COM W30AP POST Handler

Publication date: 2026-02-06

Last updated on: 2026-02-17

Assigner: VulDB

Description
A vulnerability was detected in IP-COM W30AP up to 1.0.0.11(1340). Affected by this issue is the function R7WebsSecurityHandler of the file /goform/wx3auth of the component POST Request Handler. The manipulation of the argument data results in stack-based buffer overflow. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-06
Last Modified
2026-02-17
Generated
2026-06-16
AI Q&A
2026-02-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2017
EUVD
EUVD-2026-5686
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ip-com w30ap_firmware to 1.0.0.11(1340 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-2017 is a critical stack-based buffer overflow vulnerability in the IP-COM W30AP device firmware versions up to 1.0.0.11(1340). It exists in the function handling POST requests to the /goform/wx3auth endpoint, specifically in the R7WebsSecurityHandler or formWx3AuthorizeSet function.'}, {'type': 'paragraph', 'content': "The vulnerability occurs because the code retrieves two parameters, 'data' and 'extend', from the POST request and uses unsafe functions like strcpy or sprintf to copy user-controlled input into a fixed-size stack buffer without any length checks or input validation. When 'extend' equals 'pc' and 'data' contains certain strings like 'http://' or 'data=', this leads to a stack-based buffer overflow."}, {'type': 'paragraph', 'content': 'This overflow can be triggered remotely without any authentication, allowing attackers to potentially corrupt memory or execute arbitrary code on the device.'}] [1, 2, 3, 4]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can have severe impacts on the affected device and its users. Because it is a stack-based buffer overflow exploitable remotely without authentication, attackers can compromise the device's confidentiality, integrity, and availability."}, {'type': 'list_item', 'content': 'Confidentiality: Attackers may gain unauthorized access to sensitive information stored or processed by the device.'}, {'type': 'list_item', 'content': "Integrity: The device's operation or data can be manipulated or corrupted by exploiting the overflow."}, {'type': 'list_item', 'content': 'Availability: The device may crash or become unresponsive, causing denial of service.'}, {'type': 'paragraph', 'content': 'Since the exploit is publicly available and no patches or mitigations are known, the risk of exploitation is high, and affected devices should be replaced or isolated.'}] [2, 4]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring and analyzing HTTP POST requests sent to the endpoint /goform/wx3auth on IP-COM W30AP devices running firmware up to version 1.0.0.11(1340). Specifically, look for POST requests where the parameter 'extend' is set to 'pc' and the 'data' parameter contains strings starting with 'data=' or 'http://', followed by unusually long or suspicious content."}, {'type': 'paragraph', 'content': 'A practical detection method is to capture network traffic and filter for POST requests to /goform/wx3auth with these parameters. For example, using tcpdump or tshark:'}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/goform/wx3auth'"}, {'type': 'list_item', 'content': 'tshark -Y \'http.request.method == "POST" and http.request.uri contains "/goform/wx3auth"\' -T fields -e http.file_data'}, {'type': 'paragraph', 'content': 'Additionally, inspecting web server logs on the device (if accessible) for POST requests to /goform/wx3auth with the specified parameters can help detect attempts to exploit this vulnerability.'}] [4]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'There are no known patches or vendor-provided mitigations for this vulnerability as the vendor did not respond to the disclosure.'}, {'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': 'Restrict network access to the affected device, especially blocking remote HTTP POST requests to the /goform/wx3auth endpoint.'}, {'type': 'list_item', 'content': 'Implement firewall rules or access control lists (ACLs) to prevent untrusted sources from reaching the vulnerable service.'}, {'type': 'list_item', 'content': "Monitor network traffic for suspicious POST requests targeting /goform/wx3auth with parameters 'extend=pc' and 'data' containing suspicious payloads."}, {'type': 'list_item', 'content': 'Consider replacing the affected IP-COM W30AP device with a non-vulnerable alternative, as no patches are available.'}] [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2017. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart