How is CVE-2026-11553 exploited?

Network reachability (required): The vulnerable endpoint /boaform/formPPPEdit is exposed over the network, so the attacker must be able to reach the device's web interface remotely. Authentication (required): The attack requires a low-privilege authenticated session; any standard user account on the device is sufficient to trigger the overflow. Victim interaction (not-required): No victim interaction is needed; the attacker sends a crafted HTTP request directly to the vulnerable endpoint without involving another user. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

What is the impact of CVE-2026-11553?

Reads sensitive configuration data stored on the device, including PPP credentials and network settings. Writes arbitrary data to the stack, enabling execution of attacker-controlled code on the device. Crashes or reboots the affected router, disrupting network connectivity for all clients behind it. A public proof-of-concept exploit is already available, lowering the bar for exploitation significantly.

Back to search

HIGHCVE-2026-11553Published 2026-06-08Modified 2026-06-08CNA VulDB

CVE-2026-11553: Tenda HG7HG9/HG10 formPPPEdit stack-based overflow

A vulnerability was found in Tenda HG7HG9 and HG10 300001138_en_xpon. This affects the function formPPPEdit of the file /boaform/formPPPEdit. The manipulation of the argument encodename results in stack-based buffer overflow. The attack can be launched remotely. The exploit has been made public and could be used.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 2

HarborGuard Analysis

Synopsis

A stack-based buffer overflow affects the formPPPEdit function in Tenda HG7HG9, HG9, and HG10 routers running firmware version 300001138_en_xpon. The vulnerability is reachable over the network by any authenticated user with a low-privilege account, triggered by sending a crafted value in the encodename argument to /boaform/formPPPEdit. Successful exploitation gives an attacker full read, write, and availability impact on the device, including the ability to execute arbitrary code. No fix version has been published; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-11553 is available across every HarborGuard environment. The CVE is ingested from upstream feeds within minutes of publication and matched against customer images and pipeline artifacts, including custom-built images that bundle Tenda firmware components.

Available

Triage

Triage capability is available with the CVSS v4.0 score of 8.7 (HIGH) applied automatically to any matched image. Per-environment compliance policy weighting is available to adjust severity priority, and findings are routed to the appropriate team inbox within each customer organization.

Available

Patch

No upstream fix has been published for this CVE. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the interim, compensating-control guidance is surfaced in the finding detail for affected environments.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint /boaform/formPPPEdit is exposed over the network, so the attacker must be able to reach the device's web interface remotely.
AuthenticationRequired
The attack requires a low-privilege authenticated session; any standard user account on the device is sufficient to trigger the overflow.
Victim interactionNot required
No victim interaction is needed; the attacker sends a crafted HTTP request directly to the vulnerable endpoint without involving another user.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

Reads sensitive configuration data stored on the device, including PPP credentials and network settings.
Writes arbitrary data to the stack, enabling execution of attacker-controlled code on the device.
Crashes or reboots the affected router, disrupting network connectivity for all clients behind it.
A public proof-of-concept exploit is already available, lowering the bar for exploitation significantly.

How HarborGuard Handles This

Available on HarborGuard: any image or firmware artifact containing Tenda HG7HG9, HG9, or HG10 firmware version 300001138_en_xpon is flagged automatically once the CVE enters the feed, with the 8.7 HIGH score and per-environment compliance weighting applied. Because no upstream patch exists, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild the moment a fix version is published; customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention. While no patch is available, customers can apply compensating controls surfaced in the finding detail: restrict access to the router web management interface via network policy or firewall rules to prevent remote exploitation, and consider isolating affected devices from untrusted network segments. The presence of a public exploit raises the urgency of these mitigations.

See how HarborGuard automates this

Affected packages

Tenda / HG7HG9
300001138_en_xpon
Tenda / HG10
300001138_en_xpon

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References

Metrics

Get notified