CVE-2026-2907

HighPublic PoC

Published: 22 February 2026

Published

22 February 2026

Modified

23 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A weakness has been identified in Tenda HG9 300001138. Affected by this vulnerability is an unknown functionality of the file /boaform/formgponConf of the component GPON Configuration Endpoint. This manipulation of the argument fmgpon_loid/fmgpon_loid_password causes stack-based buffer overflow. Remote exploitation of…

the attack is possible. The exploit has been made available to the public and could be used for attacks.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses the CVE by requiring timely remediation through patching the stack-based buffer overflow in the GPON configuration endpoint.

SI-10 Information Input Validation good match

prevent

Prevents the buffer overflow by enforcing validation of user-supplied inputs like fmgpon_loid and fmgpon_loid_password parameters.

SI-16 Memory Protection good match

prevent

Mitigates exploitation of the stack-based buffer overflow using memory protections such as stack canaries, ASLR, and non-executable memory.

Security SummaryAI

CVE-2026-2907 is a stack-based buffer overflow vulnerability affecting the Tenda HG9 router with firmware version 300001138. The flaw resides in an unknown functionality of the GPON Configuration Endpoint, specifically the /boaform/formgponConf file, where manipulation of the fmgpon_loid and fmgpon_loid_password arguments triggers the overflow. Published on 2026-02-22, it is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).

Remote attackers with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) under an unchanged scope (S:U), for a CVSS v3.1 base score of 8.8. Successful exploitation could enable arbitrary code execution or system compromise on the affected device.

References from VulDB and a GitHub repository confirm remote exploitation is possible and note that a public exploit has been made available, increasing the risk of attacks. The Tenda manufacturer's website (tenda.com.cn) is listed, though no specific patch or mitigation details are provided in the advisories.

Details

CWE(s): CWE-119 CWE-121

Affected Products

tenda

hg9 firmware

300001138

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Stack-based buffer overflow in public-facing GPON Configuration Endpoint (/boaform/formgponConf) on Tenda HG9 router enables remote arbitrary code execution with low privileges over the network, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/QIU-DIE/cve-nneeww/issues/9
Exploit, Issue Tracking, Mitigation, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.347216
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.347216
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.755201
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com