HIGH 8.8

CVE-2026-11498: Tenda Router VoIP Buffer Overflow RCE Vulnerability

Tenda wireless routers (models HG7, HG9, and HG10) contain a critical flaw in their web-based management interface. An authenticated attacker can send a specially crafted request to the VoIP settings page that overwrites memory on the router, leading to complete compromise of the device. The vulnerability requires a valid login but can be exploited over the network without user interaction. Once exploited, an attacker gains full control over the router's functions, including potential interception of network traffic and manipulation of connected devices.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-119, CWE-121
Affected products
0 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

A vulnerability was found in Tenda HG7HG9 and HG10 300001138_en_xpon. Affected by this issue is the function asp_voip_OtherSet of the file /boaform/voip_other_set of the component Web Management Interface. Performing a manipulation of the argument funckey_transfer results in stack-based buffer overflow. The attack is possible to be carried out remotely.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the asp_voip_OtherSet function within the /boaform/voip_other_set endpoint of Tenda's web management interface. The function fails to properly validate the length of the 'funckey_transfer' parameter before copying it into a fixed-size stack buffer. This classic stack-based buffer overflow (CWE-121) allows an authenticated attacker to overwrite the stack, including saved return addresses and local variables. By crafting a payload exceeding the buffer's capacity, an attacker can execute arbitrary code with the privileges of the web server process, typically running as root on these embedded devices.

Business impact

Compromise of a Tenda router exposes an organization's entire network to reconnaissance, lateral movement, and persistent backdoor installation. An attacker controlling the router can intercept, modify, or redirect all network traffic, monitor VoIP calls, harvest credentials, and establish a foothold for further attacks. For organizations relying on these routers as network perimeter devices or for remote office connectivity, exploitation could lead to data exfiltration, ransomware deployment, or business continuity disruption.

Affected systems

Tenda HG7, HG9, and HG10 routers running firmware version 300001138_en_xpon are confirmed vulnerable. Organizations should verify the exact firmware version on deployed units—it typically appears in the router's web interface under system information. Tenda has not released public details on which firmware versions introduced or remediated this issue; checking the vendor's security advisory is essential to identify the full scope of affected revisions.

Exploitability

The attack requires valid credentials to access the web management interface, reducing the immediate risk for routers with strong default credentials changed post-deployment. However, many organizations fail to change default credentials, and attackers often target routers on public IP ranges or through compromised employee accounts. Once inside, the exploit is straightforward—no complex timing, architecture-specific bypasses, or advanced techniques are needed. The CVSS 3.1 score of 8.8 (HIGH) reflects the high impact, low complexity, and network accessibility, though the requirement for prior authentication moderately constrains the base metric.

Remediation

Immediately apply any available firmware update from Tenda addressing CVE-2026-11498. In the interim, restrict web management access via firewall rules to trusted IP ranges or internal networks only. Disable remote management if not required. Change default credentials on all affected routers. Implement network segmentation to minimize the blast radius if a router is compromised. Consider replacing the affected models with routers from vendors with stronger security track records and timely patch release practices.

Patch guidance

Consult Tenda's official security advisory and support portal for patched firmware versions. Do not rely on third-party repositories. After updating, verify the firmware version in the router's system information and confirm that the web management interface no longer accepts oversized funckey_transfer parameters (test safely in a lab if possible). Maintain a log of all firmware versions deployed across your infrastructure to track remediation progress.

Detection guidance

Monitor web server logs on the router (if accessible) for POST requests to /boaform/voip_other_set with unusually long or malformed funckey_transfer values. On the network level, look for unexpected traffic patterns to the router's web management port from internal hosts, particularly from user machines that should not need router administration access. Intrusion detection systems may flag oversized parameter payloads if configured with VoIP protocol-aware rules. Consider deploying a WAF or proxy in front of the router if it is internet-exposed for any service.

Why prioritize this

This vulnerability ranks high due to the combination of network accessibility, high impact (full device compromise), and likely prevalence of unchanged default credentials in deployed Tenda routers. While it requires authentication, the ease of exploitation and the critical role of network infrastructure justify immediate attention. Organizations with publicly accessible routers or weak access controls should prioritize patching or isolating these devices within 30 days.

Risk score, explained

The CVSS 3.1 score of 8.8 reflects a HIGH severity vulnerability: network attack vector (AV:N), low attack complexity (AC:L), but low privilege requirement (PR:L)—meaning only a low-level authenticated user is needed. The impact scope is unchanged (S:U), but all three impact categories—confidentiality, integrity, and availability—are rated high (C:H, I:H, A:H). The authentication requirement prevents a maximum score but does not reduce the threat significantly if credential compromise or default credentials are common in your environment.

Frequently asked questions

Do I need to change my router password before or after patching?

Change it immediately. Even if you plan to patch today, an attacker with default credentials can exploit the vulnerability before your patch deploys. Use a strong, unique password and document it securely. After patching, change it again as a best practice.

Can this vulnerability be exploited by an unauthenticated attacker?

No, valid credentials are required to access the /boaform/voip_other_set endpoint. However, if your router uses default credentials or they have been compromised, this barrier is bypassed. This is why credential hygiene and network access controls are critical mitigations.

Does Tenda provide patches for all firmware versions of these models?

Verify with Tenda's official advisory—the ground truth shows only firmware version 300001138_en_xpon is explicitly confirmed vulnerable. Older or newer revisions may or may not be affected. Obtain the latest recommended firmware version from Tenda's support page for your specific router model.

What if I cannot patch my router immediately?

Implement network-level controls: restrict inbound access to the web management port, disable remote management, and segment the router from sensitive systems. Monitor for exploitation attempts and escalate patching in your change management process. If these mitigations cannot be sustained, consider replacing the device.

This analysis is based on information published as of June 2026 and the CVE record provided. Vulnerability details, patch availability, and remediation guidance may evolve. Always consult the official Tenda security advisory and verify patch version numbers before deployment. SEC.co does not provide exploit code or weaponized proof-of-concept information. Organizations should conduct their own risk assessment and testing in controlled environments. Firmware versions, patch URLs, and specific affected SKUs should be validated against vendor sources before making infrastructure decisions. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).