PatchSiren cyber security CVE debrief
CVE-2026-11498 Tenda CVE debrief
A vulnerability was found in Tenda HG7HG9 and HG10 300001138_en_xpon. Affected by this issue is the function asp_voip_OtherSet of the file /boaform/voip_other_set of the component Web Management Interface. Performing a manipulation of the argument funckey_transfer results in stack-based buffer overflow. The attack is possible to be carried out remotely.
- Vendor
- Tenda
- Product
- HG7HG9
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-08
Who should care
Administrators and users of Tenda HG7HG9 and HG10 300001138_en_xpon devices should be aware of this vulnerability and apply patches or mitigations as available.
Technical summary
The vulnerability exists in the Web Management Interface of Tenda HG7HG9 and HG10 300001138_en_xpon devices, specifically in the asp_voip_OtherSet function of the /boaform/voip_other_set file. A remote attacker can exploit this vulnerability by manipulating the funckey_transfer argument, leading to a stack-based buffer overflow.
Defensive priority
HIGH
Recommended defensive actions
- Apply patches or updates provided by the vendor as soon as possible.
- Limit access to the Web Management Interface to trusted users and networks.
- Monitor network traffic and system logs for suspicious activity.
Evidence notes
The CVE-2026-11498 vulnerability has a CVSS score of 8.7 and is classified as HIGH severity. The vulnerability is caused by a stack-based buffer overflow in the asp_voip_OtherSet function of the /boaform/voip_other_set file.
Official resources
CVE-2026-11498 was published on 2026-06-08T09:16:29.753Z and modified on 2026-06-08T14:57:14.757Z.