Which versions of Tenda HG7/HG9/HG10 are affected by CVE-2026-11553?

Tenda XPON ONT routers (HG7, HG9, HG10 running firmware 300001138_en_xpon) contain a stack-based buffer overflow vulnerability with publicly available exploit code, creating immediate operational…

Is there a public PoC exploit available for CVE-2026-11553?

Yes, a public proof-of-concept exploit is available for CVE-2026-11553. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-11553?

Within 24 hours: complete inventory of all Tenda HG7, HG9, HG10 routers and isolate affected units with firmware 300001138_en_xpon; restrict administrative network access to these devices. Within 7 days: implement firewall rules blocking access to /boaform/formPPPEdit endpoint from untrusted networks; disable remote PPP configuration management capabilities where operationally feasible; deploy network-based intrusion detection signatures targeting buffer overflow patterns in the encodename parameter. Within 30 days: contact Tenda Technical Support for patched firmware timeline; develop device replacement or upgrade strategy; establish continuous monitoring for configuration anomalies on remaining affected units.

Tenda HG7/HG9/HG10 CVE-2026-11553

Q: What is the CVSS score of CVE-2026-11553?

CVE-2026-11553 has a CVSS 4.0 base score of 7.4 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-35175 HIGH

Stack-based Buffer Overflow (CWE-121)

2026-06-08 VulDB

GHSA-wf5q-f55f-rq8w

Tenda Stack Overflow Buffer Overflow

7.4

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

7.4 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Jun 08, 2026 - 18:31 vuln.today

CVSS changed

Jun 08, 2026 - 18:22 NVD

8.8 (HIGH) 7.4 (HIGH)

DescriptionCVE.org

A vulnerability was found in Tenda HG7HG9 and HG10 300001138_en_xpon. This affects the function formPPPEdit of the file /boaform/formPPPEdit. The manipulation of the argument encodename results in stack-based buffer overflow. The attack can be launched remotely. The exploit has been made public and could be used.

AnalysisAI

Stack-based buffer overflow in Tenda HG7, HG9, and HG10 XPON ONT routers (firmware 300001138_en_xpon) allows authenticated remote attackers to corrupt memory via the encodename parameter of the formPPPEdit handler at /boaform/formPPPEdit. Publicly available exploit code exists (hosted on GitHub by researcher xiezhihua-1127), elevating practical risk despite no confirmed active exploitation in CISA KEV. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify exposed Tenda XPON ONT

Delivery

Obtain low-priv web credentials

Exploit

POST oversized encodename to /boaform/formPPPEdit

Install

Overflow stack buffer and hijack return address

Execute shellcode as web server (root)

Execute

Install botnet payload or backdoor

Impact

Pivot to LAN or join DDoS botnet

Recon

Identify exposed Tenda XPON ONT

Delivery

Obtain low-priv web credentials

Exploit

POST oversized encodename to /boaform/formPPPEdit

Install

Overflow stack buffer and hijack return address

Execute shellcode as web server (root)

Execute

Install botnet payload or backdoor

Impact

Pivot to LAN or join DDoS botnet

Vulnerability AssessmentAI

Exploitation	Exploitation requires network reachability to the device's HTTP administration interface (typically the LAN side, port 80/443, though some ISP deployments expose it on the WAN for TR-069/remote management) and valid low-privileged credentials to the web UI per CVSS PR:L - no user interaction is required (UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) indicates network-reachable, low-complexity exploitation requiring low privileges - meaning an attacker needs at least a low-privileged authenticated session, which substantially limits exposure compared to a fully unauthenticated bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who has obtained low-privileged web UI credentials (via phishing, credential reuse, default-password sweeps of internet-exposed ONTs, or LAN-side access) sends a crafted HTTP request to /boaform/formPPPEdit with an oversized encodename parameter, overflowing the stack buffer and overwriting the saved return address. Using the publicly available PoC from github.com/xiezhihua-1127/Tenda-Stack-Overflow as a template, the attacker achieves code execution as the web server process (typically root on these embedded devices), then drops a Mirai-class payload or pivots to the LAN. …
Remediation	No vendor-released patch identified at time of analysis - Tenda has not published a firmware update or advisory addressing CVE-2026-11553 at https://www.tenda.com.cn/. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: complete inventory of all Tenda HG7, HG9, HG10 routers and isolate affected units with firmware 300001138_en_xpon; restrict administrative network access to these devices. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-38065 CRITICAL Act Now

9.8 Jun 15

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_ims_on_with_apn via the

CVE-2026-38060 CRITICAL Act Now

9.8 Jun 15

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_unlock_sim via the pin p

CVE-2026-38061 CRITICAL Act Now

9.8 Jun 15

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_set_volume via the volum

CVE-2026-38062 CRITICAL Act Now

9.8 Jun 15

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_set_rat_mode via the rat

CVE-2026-38063 CRITICAL Act Now

9.8 Jun 15

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_radio_on_with_ia_apn via

CVE-2026-11553 vulnerability details – vuln.today

Back

Tenda HG7/HG9/HG10 CVE-2026-11553

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code