PatchSiren cyber security CVE debrief
CVE-2026-11553 Tenda CVE debrief
CVE-2026-11553 is a HIGH severity vulnerability (CVSS Score: 7.4) affecting Tenda HG7HG9 and HG10 300001138_en_xpon devices. The vulnerability is caused by a stack-based buffer overflow in the `formPPPEdit` function of the `/boaform/formPPPEdit` file, which can be exploited remotely by manipulating the `encodename` argument. The exploit has been made public and could be used.
- Vendor
- Tenda
- Product
- HG7HG9 and HG10
- CVSS
- HIGH 7.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-09
Who should care
Administrators and users of Tenda HG7HG9 and HG10 300001138_en_xpon devices should be aware of this vulnerability and take necessary actions to mitigate the risk.
Technical summary
The vulnerability is caused by a stack-based buffer overflow in the `formPPPEdit` function of the `/boaform/formPPPEdit` file. The attack can be launched remotely by manipulating the `encodename` argument.
Defensive priority
HIGH
Recommended defensive actions
- Apply patches or updates provided by the vendor, if available.
- Limit access to the affected devices and networks.
- Monitor network traffic and system logs for suspicious activity.
Evidence notes
The CVE record was published on 2026-06-08T18:16:32.480Z and modified on 2026-06-09T01:32:36.950Z. The vulnerability has been reported by Vuldb and has a CVSS score of 7.4.
Official resources
CVE-2026-11553 was published on 2026-06-08T18:16:32.480Z and last modified on 2026-06-09T01:32:36.950Z.