CVE-2026-2907

HighPublic PoC

Published: 22 February 2026

Published

22 February 2026

Modified

23 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2907 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Hg9 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses the CVE by requiring timely remediation through patching the stack-based buffer overflow in the GPON configuration endpoint.

SI-10 Information Input Validation good match

prevent

Prevents the buffer overflow by enforcing validation of user-supplied inputs like fmgpon_loid and fmgpon_loid_password parameters.

SI-16 Memory Protection good match

prevent

Mitigates exploitation of the stack-based buffer overflow using memory protections such as stack canaries, ASLR, and non-executable memory.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Stack-based buffer overflow in public-facing GPON Configuration Endpoint (/boaform/formgponConf) on Tenda HG9 router enables remote arbitrary code execution with low privileges over the network, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A weakness has been identified in Tenda HG9 300001138. Affected by this vulnerability is an unknown functionality of the file /boaform/formgponConf of the component GPON Configuration Endpoint. This manipulation of the argument fmgpon_loid/fmgpon_loid_password causes stack-based buffer overflow. Remote exploitation of…

the attack is possible. The exploit has been made available to the public and could be used for attacks.

Deeper analysisAI

CVE-2026-2907 is a stack-based buffer overflow vulnerability affecting the Tenda HG9 router with firmware version 300001138. The flaw resides in an unknown functionality of the GPON Configuration Endpoint, specifically the /boaform/formgponConf file, where manipulation of the fmgpon_loid and fmgpon_loid_password arguments triggers the overflow. Published on 2026-02-22, it is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).

Remote attackers with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) under an unchanged scope (S:U), for a CVSS v3.1 base score of 8.8. Successful exploitation could enable arbitrary code execution or system compromise on the affected device.

References from VulDB and a GitHub repository confirm remote exploitation is possible and note that a public exploit has been made available, increasing the risk of attacks. The Tenda manufacturer's website (tenda.com.cn) is listed, though no specific patch or mitigation details are provided in the advisories.

Details

CWE(s): CWE-119 CWE-121

Affected Products

tenda

hg9 firmware

300001138

CVEs Like This One

CVE-2026-2906Same product: Tenda Hg9

CVE-2026-2909Same product: Tenda Hg9

CVE-2026-2908Same product: Tenda Hg9

CVE-2026-2910Same product: Tenda Hg9

CVE-2026-2905Same product: Tenda Hg9

CVE-2025-14992Same vendor: Tenda

CVE-2025-11527Same vendor: Tenda

CVE-2025-11326Same vendor: Tenda

CVE-2025-7792Same vendor: Tenda

CVE-2025-1851Same vendor: Tenda

References

https://github.com/QIU-DIE/cve-nneeww/issues/9
Exploit, Issue Tracking, Mitigation, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.347216
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.347216
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.755201
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com