CVE-2026-11553: Tenda Router Stack Buffer Overflow RCE Vulnerability
Tenda HG7, HG9, and HG10 routers contain a dangerous flaw in their web interface that allows an authenticated attacker to crash the device or take control of it by sending a specially crafted request. The vulnerability resides in how the router processes user input for a specific configuration parameter, failing to properly validate the length of data before storing it in memory. An attacker with login credentials can exploit this remotely without any user interaction.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-119, CWE-121
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
A vulnerability was found in Tenda HG7HG9 and HG10 300001138_en_xpon. This affects the function formPPPEdit of the file /boaform/formPPPEdit. The manipulation of the argument encodename results in stack-based buffer overflow. The attack can be launched remotely. The exploit has been made public and could be used.
7 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11553 is a stack-based buffer overflow in the formPPPEdit function of Tenda router models HG7, HG9, and HG10 (firmware 300001138_en_xpon). The encodename argument is not properly bounds-checked before being written to stack memory. This classical memory safety issue (CWE-119, CWE-121) permits remote code execution or denial of service in the context of the web administration process. The vulnerability requires prior authentication but no additional user interaction.
Business impact
For organizations relying on Tenda routers for branch or remote office connectivity, this vulnerability poses a significant operational risk. A malicious insider or compromised administrative account could destabilize network access or establish persistent control over the device. Recovery requires manual intervention and potential downtime. Given the CVSS 8.8 severity and the published exploit, attackers are likely to incorporate this into attack chains targeting administrative access.
Affected systems
Tenda HG7, HG9, and HG10 routers running firmware version 300001138_en_xpon are affected. Verify your device model and firmware version via the administration interface. Consult the Tenda advisory to confirm whether your specific firmware build is in scope.
Exploitability
The exploit has been publicly disclosed as of June 2026. Exploitation requires valid login credentials to the router's web interface, reducing the attack surface to authenticated users. However, in environments where administrative credentials are shared, reused across devices, or compromised through phishing, the practical exploitability is elevated. The low complexity (AC:L) and network accessibility (AV:N) make this practical to weaponize once credentials are obtained.
Remediation
Immediately apply the latest firmware patch from Tenda for your router model. If patched firmware is not yet available, restrict access to the router's web administration interface using firewall rules or IP whitelisting. Disable remote management features if not strictly necessary. Audit administrator accounts and force password resets on privileged credentials. Monitor for unusual configuration changes on affected devices.
Patch guidance
Check the Tenda support portal for your router model (HG7, HG9, or HG10) and download the latest firmware release post-June 2026. Verify the firmware version number against the Tenda security advisory before deployment. Most Tenda devices support firmware updates via the web interface; follow the vendor's documented update procedure and avoid interrupting the process. Test in a non-production environment if possible.
Detection guidance
Monitor web server logs on the router for POST requests to /boaform/formPPPEdit with unusually long or malformed encodename parameters. Look for sudden restarts, crashes, or unresponsive administrative interfaces. Network-based detection is challenging without deep packet inspection; focus on access control auditing. Check for unauthorized changes to PPP configuration or unusual outbound connections initiated by the router process.
Why prioritize this
This is a high-severity, authenticated remote code execution in a network perimeter device with public exploit availability. While authentication is required, the impact spans confidentiality, integrity, and availability. Routers are high-value targets for maintaining persistence and lateral movement. Organizations should prioritize patching or containment within days, not weeks.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) reflects a network-accessible vulnerability with high impact across all three security properties (confidentiality, integrity, availability). The main mitigating factor is the requirement for prior authentication (PR:L). The public exploit and broad potential for use in supply chain or insider threat scenarios support urgent remediation.
Frequently asked questions
Do I need to be on the local network to exploit this vulnerability?
No. The vulnerability is remotely exploitable over the network (CVSS AV:N), but an attacker must have valid login credentials to the router's web interface. This typically means either a compromised admin password or internal access.
What firmware versions are vulnerable?
Tenda HG7, HG9, and HG10 devices with firmware 300001138_en_xpon are confirmed vulnerable. Check your device firmware version in the admin interface and cross-reference against the Tenda security advisory to confirm your exact build is affected.
If I cannot patch immediately, what can I do?
Restrict HTTP/HTTPS access to the router's web interface using a firewall or access control list, allowing only trusted administrator IP addresses. Disable remote management if enabled. Rotate all administrator passwords and monitor for suspicious configuration changes.
Is this vulnerability exploited in the wild?
The exploit has been publicly disclosed. While no active ransomware or mass exploitation campaigns have been confirmed, the public availability of proof-of-concept code increases the likelihood of opportunistic attacks. Treat this as a high priority.
This analysis is provided for informational purposes and based on publicly disclosed information as of June 2026. Patch availability, affected firmware versions, and remediation timelines vary by vendor and should be verified directly with Tenda's official security advisories. SEC.co does not provide warranty of accuracy or completeness. Organizations should conduct independent testing and validation before applying patches in production environments. Consult your vendor's official channels for authoritative guidance. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10062HIGHTRENDnet TEW-432BRP Stack Overflow – EOL Hardware Risk
- CVE-2026-10063HIGHTRENDnet TEW-432BRP Stack Overflow – End-of-Life Router Vulnerability
- CVE-2026-10065HIGHShibby Tomato 1.28 Stack Buffer Overflow in tomatodata.cgi
- CVE-2026-10066HIGHShibby Tomato Stack Buffer Overflow in UPS Service (RCE)
- CVE-2026-10067HIGHShibby Tomato 1.28 Stack Buffer Overflow in multimon.cgi
- CVE-2026-10119HIGHStack Overflow in TRENDnet TEW-432BRP End-of-Life Router
- CVE-2026-10120HIGHTRENDnet TEW-432BRP Buffer Overflow – No Patch Available
- CVE-2026-10121HIGHTRENDnet TEW-432BRP Stack Buffer Overflow