Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.4
Tenda HG9 300001138: Unsecured Configuration Endpoint Allows Remote Exploit
CVE-2026-2907
Summary
A security weakness in the Tenda HG9 300001138 allows attackers to potentially access sensitive data or take control of the device remotely. This is because the device's configuration endpoint is not properly secured. To fix the issue, update the device to the latest firmware version or disable the GPON Configuration Endpoint if not needed.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| tenda | hg9_firmware | 300001138 | – |
Original title
A weakness has been identified in Tenda HG9 300001138. Affected by this vulnerability is an unknown functionality of the file /boaform/formgponConf of the component GPON Configuration Endpoint. Thi...
Original description
A weakness has been identified in Tenda HG9 300001138. Affected by this vulnerability is an unknown functionality of the file /boaform/formgponConf of the component GPON Configuration Endpoint. This manipulation of the argument fmgpon_loid/fmgpon_loid_password causes stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.
nvd CVSS2.0
9.0
nvd CVSS3.1
8.8
nvd CVSS4.0
7.4
Vulnerability type
CWE-119
Buffer Overflow
CWE-121
Stack-based Buffer Overflow
- https://github.com/QIU-DIE/cve-nneeww/issues/9 Exploit Issue Tracking Mitigation Third Party Advisory
- https://vuldb.com/?ctiid.347216 Permissions Required VDB Entry
- https://vuldb.com/?id.347216 Third Party Advisory VDB Entry
- https://vuldb.com/?submit.755201 Third Party Advisory VDB Entry
- https://www.tenda.com.cn/ Product
Published: 22 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026